Instagram Credential Phishing Attacks Bypass Microsoft Email Security
- by Justice Levine

This past November, 22,000 students at national educational institutions who were victims of a credential phishing attack were targeted by a campaign impersonating Instagram. The attack bypassed the Microsoft email security system as it was not recognized as a potential threat by the native email security controls that Microsoft provides. The attack intended to obtain the victim`s Instagram credentials to access their accounts entirely. This article will discuss the attack, how it managed to avoid detection, and methods to keep your online accounts secure.
Anatomy of The Attack
Researchers found that the attacks started with an email titled "We Noticed an Unusual Login, [user handle]." This common tactic is used to instill a sense of urgency in the recipient, manipulating them into reading the email and taking action. Instagram was impersonated within the body of the email, appearing to come from the platform's support team, with the sender's name, Instagram profile, and email address — the perfectly palatable "
The message alerted the user of an unrecognized device from a specific location and a device with a specific operating system that had logged in to their account. The attackers intended for recipients to open a link asking them to "secure" their login details included at the bottom of the email. This led to a fake landing page that the threat actors created to exfiltrate user credentials.
The Instagram message the cybercriminals prepared is a perfect example of email spoofing. Mimicking the logo and the text in the right font is a challenge for humans and machines to realize this was a phishing attack.
Bypassing Microsoft Filters
Two-factor authentication is an added security step that requires people to enter a code sent to their phone or email. It has traditionally worked to keep usernames and passwords safe from phishing attacks. However, experts have recently demonstrated an automated phishing attack that can bypass additional layers of security, potentially convincing unsuspecting users to share their private credentials.
The hack employs two tools, Muraena and NecroBrowser, which work to automate the attacks. Muraena intercepts traffic between the user and the target website, acting as a proxy between the victim and a legitimate website. Once Muraena has the victim on a phony site that looks like an actual login page, users will be asked to enter their login credentials and 2FA code, as usual. Once the Muraena authenticates the session’s cookie, it is then passed along to NecroBrowser, which creates windows to keep track of the private accounts of tens of thousands of victims.
While attacks against 2FA have been demonstrated in the past, these tools make these attacks easier to execute for less skilled attackers. 2FA, however, is still considered a best security practice and far better than relying on a username and strong password.
Cyberattacks evolve just as cybersecurity measures advance. For example, new attacks such as zero-click and man-in-the-middle attacks don’t require actions from a user. Recent attacks against 2FA authentication are becoming extremely sophisticated, effective, and dangerous. Facial recognition, biometrics, rotating keys, and password-less accounts are trying to replace 2FA.
Methods for Bypassing Security
This past October, a phishing email allegedly from LinkedIn was discovered targeting users at a travel organization, attempting to steal their credentials on the social-media platform with the subject line "We noticed some unusual activity.” The phishing campaign slipped past Google's email security controls after bypassing email authentication checks via SPF and DMARC.
Hackers use specific methods to bypass two-factor authentication, including:
- Social Engineering: Social engineering involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker has already compromised a victim’s username and password and needs to bypass additional authentication factors.
- Consent Phishing: Open authorization (OAuth) requests limited access to a user's account data. With consent phishing, hackers can pose as legitimate OAuth login pages and request whichever level of access they need from a user. If granted these permissions, the hacker can bypass any MFA verification, potentially enabling a complete account takeover.
- Brute Force: Hackers use brute force attacks by trying different password combinations until they get a hit. The success of these attacks in bypassing MFA relies on using basic password combinations as an authentication factor, such as a temporary 4-digit PIN, which is easier to crack than a complex alphanumeric combination.
- Exploiting Generated Tokens: platforms often provide users with manual authentication codes to avoid account lock-outs. If printed out or saved in an unsecured digital location, the cybercriminal could obtain this list through physical theft or exploiting poor data security practices to access it and compromise the victim’s account.
- Session Hijacking: cookie stealing occurs when a cybercriminal compromises a user’s login session through a man-in-the-middle attack. Session cookies play an essential role in UX on web services.
- SIM Hacking: SIM hacking occurs when a hacker compromises a victim's phone number by gaining unauthorized access to their SIM card. Standard techniques include SIM swapping, SIM cloning, and SIM jacking.
How Can I Protect Against Instagram Credential Phishing Attacks?
To stay safe from phishing campaigns, you should always carefully analyze a suspicious email before interacting with any links within the body. You should look for spelling, grammar, and capitalization errors and use a search engine to ensure the email address matches a company’s official support email. You can check Instagram and other social media platforms to see your recent login activity instead of taking urgent emails in your inbox at face value. Consider enabling multi-factor authentication (MFA) for your Instagram and other social media accounts, as a hacker will need both your password and your smartphone to login into your account.
Organizations should also augment built-in email security with layers that take a materially different approach to threat detection. Employees should be trained to identify social engineering cues that are becoming more common in phishing campaigns rather than quickly executing the requested actions in an email.
With proper preparation, you can drastically lower the cost and impact of an attack. Implementing even stronger practices can reduce an organization’s exposure to email threats and minimize potential damage. To achieve this, additional layers of security are necessary. This includes proactive protection accompanied by expert, ongoing system monitoring, maintenance, and support. This protection must anticipate and learn from emerging attacks and offer real-time cybersecurity business insights to improve decision-making and policy enforcement.
Keep Learning About Email Threat Protection
In the modern digital landscape, threats are everywhere, even on social media. Implementing a comprehensive email security system can help prevent advanced threats, such as targeted spear phishing and ransomware.
- Learn more about effectively protecting your business from ransomware.
- Improve your email security posture to protect against attacks by following best practices.
- Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
- Get the latest updates on how to stay safe online.
Must Read Blog Posts
- Demystifying Phishing Attacks: How to Protect Yourself in 2023
- What You Need to Know to Shield Your Business from Ransomware
- Shortcomings of Endpoint Security in Securing Business Email
- Microsoft 365 Email Security Limitations You Should Know in 2023
- Email Virus - Complete Guide to Email Viruses & Best Practices
- How Phishing Emails Bypass Microsoft 365 Default Security
Phishing Is Evolving
Latest Blog Articles
- How To Spot A DocuSign Scam Email
- What To Do If Your Business Email Gets Hacked
- Why Do Over 90% of Cyberattacks Begin with an Email?
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- Why Is Machine Learning (ML) Beneficial in Security?
- What Is a Cyberattack?
- Cyber Risk Is On the Rise: How To Ensure Preparedness
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Revolutionizing Email Security: The Evolution of EnGarde Secure Linux to EnGarde Cloud Email Security
- Open Source Utilization in Email Security Demystified