Instagram Credential Phishing Attacks Bypass Microsoft Email Security

This past November, 22,000 students at national educational institutions who were victims of a credential phishing attack were targeted by a campaign impersonating Instagram. The attack bypassed the Microsoft email security system as it was not recognized as a potential threat by the native email security controls that Microsoft provides. The attack intended to obtain the victim`s Instagram credentials to access their accounts entirely. This article will discuss the attack, how it managed to avoid detection, and methods to keep your online accounts secure.

Anatomy of The Attack

Researchers found that the attacks started with an email titled "We Noticed an Unusual Login, [user handle]." This common tactic is used to instill a sense of urgency in the recipient, manipulating them into reading the email and taking action. Instagram was impersonated within the body of the email, appearing to come from the platform's support team, with the sender's name, Instagram profile, and email address — the perfectly palatable "This email address is being protected from spambots. You need JavaScript enabled to view it." — all seeming legitimate.

The message alerted the user of an unrecognized device from a specific location and a device with a specific operating system that had logged in to their account. The attackers intended for recipients to open a link asking them to "secure" their login details included at the bottom of the email. This led to a fake landing page that the threat actors created to exfiltrate user credentials.

The Instagram message the cybercriminals prepared is a perfect example of email spoofing. Mimicking the logo and the text in the right font is a challenge for humans and machines to realize this was a phishing attack.

Bypassing Microsoft Filters

Two-factor authentication is an added security step that requires people to enter a code sent to their phone or email. It has traditionally worked to keep usernames and passwords safe from phishing attacks. However, experts have recently demonstrated an automated phishing attack that can bypass additional layers of security, potentially convincing unsuspecting users to share their private credentials.

Microsoft 365 email security stat" width="550" height="79" style="margin: 10px; float: right;" />

The hack employs two tools, Muraena and NecroBrowser, which work to automate the attacks. Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like an actual login page, users will be asked to enter their login credentials and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which creates windows to keep track of the private accounts of tens of thousands of victims.

While attacks against 2FA have been demonstrated in the past, these tools make these attacks easier to execute for less skilled attackers. 2FA, however, is still considered a best security practice and far better than relying on a username and strong password.

Cyberattacks evolve just as cybersecurity measures advance. For example, new attacks such as zero-click and man-in-the-middle attacks don’t require actions from a user. Recent attacks against 2FA authentication are becoming extremely sophisticated, effective, and dangerous. Facial recognition, biometrics, rotating keys, and password-less accounts are trying to replace 2FA.

Methods for Bypassing Security

This past October, a phishing email allegedly from LinkedIn was discovered targeting users at a travel organization, attempting to steal their credentials on the social-media platform with the subject line "We noticed some unusual activity.” The phishing campaign slipped past Google's email security controls after bypassing email authentication checks via SPF and DMARC.

Hackers use specific methods to bypass two-factor authentication, including:

• Social Engineering: Social engineering involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker has already compromised a victim’s username and password and needs to bypass additional authentication factors.
• Consent Phishing: Open authorization (OAuth) requests limited access to a user's account data. With consent phishing, hackers can pose as legitimate OAuth login pages and request whichever level of access they need from a user. If granted these permissions, the hacker can bypass any MFA verification, potentially enabling a complete account takeover.
• Brute Force: Hackers use brute force attacks by trying different password combinations until they get a hit. The success of these attacks in bypassing MFA relies on using basic password combinations as an authentication factor, such as a temporary 4-digit PIN, which is easier to crack than a complex alphanumeric combination. 
• Exploiting Generated Tokens: platforms often provide users with manual authentication codes to avoid account lock-outs. If printed out or saved in an unsecured digital location, the cybercriminal could obtain this list through physical theft or exploiting poor data security practices to access it and compromise the victim’s account.
• Session Hijacking: cookie stealing occurs when a cybercriminal compromises a user’s login session through a man-in-the-middle attack. Session cookies play an essential role in UX on web services.
• SIM Hacking: SIM hacking occurs when a hacker compromises a victim's phone number by gaining unauthorized access to their SIM card. Standard techniques include SIM swapping, SIM cloning, and SIM jacking.

How Can I Protect Against Instagram Credential Phishing Attacks?

To stay safe from phishing campaigns, you should always carefully analyze a suspicious email before interacting with any links within the body. You should look for spelling, grammar, and capitalization errors and use a search engine to ensure the email address matches a company’s official support email. You can check Instagram and other social media platforms to see your recent login activity instead of taking urgent emails in your inbox at face value. Consider enabling multi-factor authentication (MFA) for your Instagram and other social media accounts, as a hacker will need both your password and your smartphone to login into your account. 

Organizations should also augment built-in email security with layers that take a materially different approach to threat detection. Employees should be trained to identify social engineering cues that are becoming more common in phishing campaigns rather than quickly executing the requested actions in an email.

With proper preparation, you can drastically lower the cost and impact of an attack. Implementing even stronger practices can reduce an organization’s exposure to email threats and minimize potential damage. To achieve this, additional layers of security are necessary. This includes proactive protection accompanied by expert, ongoing system monitoring, maintenance, and support. This protection must anticipate and learn from emerging attacks and offer real-time cybersecurity business insights to improve decision-making and policy enforcement. 

Keep Learning About Email Threat Protection 

In the modern digital landscape, threats are everywhere, even on social media. Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing and ransomware.

• Learn more about effectively protecting your business from ransomware.
• Improve your email security posture to protect against attacks by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.