Instagram Credential Phishing Attacks Bypass Microsoft Email Security

This past November, 22,000 students at national educational institutions who were a victim of a credential phishing attack were targeted by a campaign impersonating Instagram. The attack managed to bypass the Microsoft email security system as it was not recognized as a potential threat by native email security controls that Microsoft provides.

The intention of the attack was to obtain the victim`s Instagram credentials in order to gain full access to their accounts. This article will discuss the attack, how it managed to avoid detection, as well as methods to keep your online accounts secure.

Anatomy of The Attack

Researchers found that the attacks started with an email with the subject line "We Noticed an Unusual Login, [user handle]." This is a common tactic used to instill a sense of urgency in the recipient to manipulate them into reading the email and taking action. Instagram was impersonated within the body of the email, appearing to come from the platform's support team, with the sender's name, Instagram profile, and email address — which was the perfectly palatable "This email address is being protected from spambots. You need JavaScript enabled to view it." — all seeming legitimate.

The message alerted the user of an unrecognized device from a specific location and a device with a specific operating system that had logged in to their account. The attackers intended for recipients to open a link asking them to "secure" their login details included at the bottom of the email. This led to a fake landing page that was created by the threat actors to exfiltrate user credentials.

The Instagram message the cybercriminals prepared is a perfect example of email spoofing. Mimicking the logo and the text in the right font is a challenge for both humans and machines to realize that this was a phishing attack.

Bypassing Microsoft Filters

Two-factor authentication is an added security step that requires people to enter a code sent to their phone or email and has traditionally worked to keep usernames and passwords safe from phishing attacks. However, experts have recently demonstrated an automated phishing attack that can bypass additional layers of security, potentially convincing unsuspecting users into sharing their private credentials.

The hack employs two tools, Muraena and NecroBrowser, which work to automate the attacks. Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like a real login page, users will be asked to enter their login credentials, and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which creates windows to keep track of the private accounts of tens of thousands of victims.

While attacks against 2FA have been demonstrated in the past, these tools make these attacks easier to execute for less skilled attackers. 2FA, however, is still considered a best security practice, and far better than relying on a username and strong password.

Cyber attacks evolve just as cybersecurity measures advance. For example, new attacks such as zero-click and Man-in-the-Middle don’t require actions from a user. New attacks against 2FA authentication are becoming extremely sophisticated, effective, and dangerous. Facial recognition, biometrics, rotating keys, and password-less accounts are trying to replace 2FA.

Methods for Bypassing Security

This past October, a phishing email allegedly from LinkedIn was discovered targeting users at a travel organization, in an attempt to pilfer their credentials on the social-media platform with the subject line "We noticed some unusual activity.” The phishing campaign slipped past Google's email security controls after bypassing email authentication checks via SPF and DMARC.

Hackers use specific methods to bypass two-factor authentication including:

• Social Engineering: Social engineering involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker has already compromised a victim’s username and password and needs to bypass additional authentication factors.
• Consent Phishing: Open authorization (OAuth) is used to request limited access to a user's account data. With consent phishing, hackers can pose as legitimate OAuth login pages and request whichever level of access they need from a user. If granted these permissions, the hacker can successfully bypass the need for any MFA verification, potentially enabling a full account takeover.
• Brute Force: Hackers carry out brute force attacks by trying different password combinations until they get a hit. The success of these attacks in bypassing MFA relies on the use of basic password combinations as an authentication factor, such as a temporary 4-digit PIN, which is easier to crack than a complex alphanumeric combination. 
• Exploiting Generated Tokens: platforms often provide users with a list of manual authentication codes to avoid account lock-outs. If printed out or saved in an unsecured digital location, the cybercriminal could obtain this list through physical theft or exploiting poor data security practices to access it and compromise the victim’s account.
• Session Hijacking: also known as cookie stealing occurs when a cybercriminal compromises a user’s login session through a man-in-the-middle attack. Session cookies play an important role in UX on web services.
• SIM Hacking: SIM hacking occurs when a hacker compromises a victim's phone number by gaining unauthorized access to their SIM card. Common techniques include SIM swapping, SIM cloning, and SIM-jacking.

Protecting Yourself From Attacks

In order to stay safe from phishing campaigns, you should always carefully analyze a suspicious email before interacting with any of the links contained within the body. You should look for spelling, grammar and capitalization errors and use a search engine to check to make sure the email address matches a company’s official support email. You can also check Instagram and other social media platforms to see your recent login activity as opposed to taking any urgent emails in your inbox at face value. Consider enabling multi-factor authentication (MFA) for your Instagram and other social media accounts as a hacker will need both your password and your smartphone to login into your account. 

Organizations should also augment built-in email security with layers that take a materially different approach to threat detection. Employees should be trained to identify social engineering cues that are becoming more common in phishing campaigns rather than quickly executing the requested actions in an email.

With proper preparation, you can drastically lower the cost and impact of an attack. Implementing even stronger practices can reduce an organization’s exposure to email threats and minimize potential damage. To achieve this, additional layers of security are necessary. This includes proactive protection accompanied by expert, ongoing system monitoring, maintenance, and support. This protection must be able to anticipate and learn from emerging attacks and offer the real-time cybersecurity business insights required to improve decision-making and policy enforcement. 

Keep Learning

In the modern digital landscape, threats are everywhere, even on social media. Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing, and ransomware.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.