New Trend in Cloud Account Takeover, Even With MFA

Written By Adam Evans, CISSP

The FBI's IC3 report for 2022 reported over 300,000 instances of phishing and almost 22k instances of business email compromise (compared to only 2,300 reported cases of ransomware.) Traditionally, security folks have been advocating for MFA as an effective control to reduce these risks.

However, threat actors are evolving.

Resent research from Proofpoint reported a significant uptick in cloud account takeovers for major companies. What happened? Did their users have weak passwords? Did these orgs not enable MFA on their accounts?

According to Proofpoint - 35% of these organizations had MFA enabled on the compromised accounts. So, what did the threat actors do?

When you authenticate to a service you get issued a session token/cookie. In short, this allows you to remain authenticated until that token expires or is revoked. This is what these threat actors are after.

In short, they send the traditional phishing email, directing you to their phishing site. They then redirect you to a legitimate service, where the user authenticates with their MFA code. Once that happens, the session token is returned, which is intercepted by the bad guys. From there, these threat actors can access the user's cloud accounts for their nefarious deeds.

Does this mean MFA is useless? Absolutely not. MFA is still critical. But more is necessary.

So, what do we do? In short

  • Invest in a quality, modern email security platform to reduce the likelihood of a phish being delivered.

  • Invest in cloud security platforms. These can utilize logging capabilities within these services to detect sketchy behavior.

  • Invest in security awareness training. Your people are a critical line of defense. Empower them to spot the sketchy emails.

  • Harden your cloud environments. Adjust your session token duration, consider advanced MFA (FIDO tokens for instance,) and more.

Proofpoint research: https://www.proofpoint.com/us/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level

IC3 Report: https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

Adam Evans, CISSP

About Adam Evans, CISSP

Adam is a seasoned cybersecurity professional with more than a decade of experience in the MSP industry. He started his career as a helpdesk engineer and worked his way up through various technical roles to specialize in cybersecurity – specifically GRC, security architecture, and defensive operations. 

Adam is passionate about sharing his expertise and insights with the next generation of security professionals. He believes that by working together and sharing knowledge, we can make the world a safer and more secure place for everyone.

Connect with Adam on LinkedIn: https://www.linkedin.com/in/grcadame/

Previous

Apple's iOS 17 Update and It’s Impact on Businesses
Next

Blackpoint Cyber Nashville – Recap