Instagram Credential Phishing Attacks Bypass Microsoft Email Security
- by Justice Levine
In November 2022, 22,000 students at national educational institutions who were victims of a credential attack were targeted by phishing campaigns impersonating Instagram. These attacks bypassed the Microsoft email security system, as the campaigns were not recognized as potential email threats by the native email security controls that Microsoft provides. This credential phishing attack seeks to obtain the victim’s Instagram information to access their accounts entirely. This article will discuss the attack, how it managed to avoid detection, and methods to ensure you have a secure email that faces less risk of becoming a compromised account.
What Is the Anatomy of A Credential Phishing Attack?
Researchers found that these attacks started with spear phishing emails titled "We Noticed an Unusual Login, [user handle]." This phishing attack instills a sense of urgency in the recipient, manipulating them into opening the email and taking action. These attacks impersonated Instagram in the body of the email by acting as the support team in the sender's name, Instagram profile, and email address — the perfectly palatable "
The message alerted users of logins on unrecognized devices in specific locations or a specific operating system. The attackers intended recipients to “secure” email and login credentials by opening a link at the bottom. This led to a fake landing page that the threat actors created to exfiltrate user credentials.
This Instagram message prepared by cybercriminals is a perfect example of email spoofing. Mimicking the logo and text in the right font makes it all the more challenging for machines and people to pick up on this type of phishing attack without prior knowledge of its existence.
Bypassing Email Filters
Two-factor authentication (2FA) can be used as an added security step requiring people to enter a code sent to their phone or email before being fully logged in, working to keep usernames and passwords safe from any type of phishing attack. However, experts recently demonstrated an automated phishing email attack that can bypass additional layers of email security, potentially convincing unsuspecting users to share their private credentials.
The hack employs two tools to automate the attacks: Muraena and NecroBrowser. MuraMicrosoft 365 email security stat" width="508" height="73" style="margin: 10px; float: right;" />ena intercepts traffic and redirects a user to the target website. Once Muraena has the victim on a phony site, users will be asked to enter their login credentials and 2FA code. Once the Muraena authenticates the session’s cookie, it is passed along to NecroBrowser, which creates windows to keep track of the private, compromised accounts of tens of thousands of victims.
While attacks against 2FA have taken place in past years, these tools make these phishing email attacks more straightforward to execute for less skilled cyber criminals. 2FA, however, is still considered one of the best practices for email security that is easy to implement and better than simply relying on a username and strong password.
Cyberattacks evolve just as cybersecurity measures advance. New phishing attacks like Zero-Click and Man-in-the-Middle don’t require anything from victims to instigate email security breaches, and they are highly sophisticated, effective, and dangerous. As a result, more secure forms of cyber and email security are being used to replace 2FA slowly, including facial recognition, biometrics, rotating keys, and password-less accounts.
Methods for Bypassing Security
In October 2022, a phishing email attack, allegedly from LinkedIn, targeted a travel organization, attempting to steal their credentials on social media platforms with the subject line "We noticed some unusual activity.” These phishing campaigns slipped past Google's email security controls after getting past SPF and DMARC email authentication checks.
Hackers use specific methods to bypass two-factor authentication, including:
- Social Engineering: Social engineering involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker has already compromised a victim’s username and password and needs to bypass additional authentication factors.
- Consent Phishing: Open Authorization (OAuth) requests limited access to a user's account data. With consent phishing, hackers can pose as legitimate OAuth login pages and request whichever level of access they need from a user. The hacker can bypass any MFA verification if granted these permissions, potentially enabling a complete account takeover.
- Brute Force: Hackers use brute force attacks by trying different password combinations until they get a hit. This type of threat successfully bypasses MFA, which relies on basic password combinations as an authentication factor, such as a temporary 4-digit PIN, which is easier to crack than a complex alphanumeric combination.
- Exploiting Generated Tokens: Platforms often provide users with manual authentication codes to avoid account lock-outs. If printed out or saved in an unsecured digital location, the cybercriminal could obtain this list through physical theft or exploiting poor data loss prevention email security practices to access it, leaving the victim’s email address compromised.
- Session Hijacking: A cybercriminal can steal cookies by compromising a user’s login session through a Man-in-the-Middle attack. Session cookies play an essential role in UX on web services, and hijacking them has proven to be less complicated than victims think.
- SIM Hacking: SIM hacking occurs when a hacker compromises a victim's phone number by gaining unauthorized access to their SIM card. Standard techniques include SIM swapping, SIM cloning, and SIM jacking.
How Can I Protect Against Instagram Credential Phishing Attacks?
To stay safe from phishing campaigns, you should always carefully analyze a suspicious email before interacting with any links in the body. Look for spelling, grammar, and capitalization errors and look up a company’s official support email to verify the address. Check Instagram and other social media platforms to see your recent login activity instead of taking urgent emails in your inbox at face value. Consider enabling Multi-Factor Authentication (MFA) for your Instagram and other social media accounts, as a hacker will need your password and smartphone to log in to your account.
Organizations should also augment built-in email security with layers that take a materially different approach to email security threats and detection. Employees should be trained to identify social engineering cues that are becoming more common in phishing campaigns rather than quickly executing the requested actions in an email.
With proper preparation, you can drastically lower the cost and impact of any phishing attack. Implementing even stronger practices can reduce an organization’s exposure to email threats and minimize potential damage. To achieve this, additional layers of email security are necessary. You can use proactive email protection accompanied by expert, ongoing system monitoring, maintenance, and support, which must anticipate and learn from emerging attacks while offering real-time cyber security business insights to improve decision-making and email security policy enforcement.
Keep Learning About Email and Cyber Threat Protection
In the modern digital landscape, threats are everywhere, even on social media. Implementing comprehensive email security software with threat protection systems can help prevent advanced email threats, such as targeted spear phishing emails and malware ransomware.
- Learn more about protecting your business from ransomware.
- Improve your company’s best practices for email security to protect against any type of threat or attack.
- Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
- Get the latest updates on how to stay safe online.
Must Read Blog Posts
- Demystifying Phishing Attacks: How to Protect Yourself In 2024
- What You Need to Know to Shield Your Business from Ransomware
- Shortcomings of Endpoint Security in Securing Business Email
- Microsoft 365 Email Security Limitations You Should Know
- Complete Guide to Email Viruses
- How Phishing Emails Bypass Microsoft 365 Default Security
Phishing Is Evolving
Are Your Current Email Defenses Falling Behind?
Latest Blog Articles
- Understanding Spyware: Types, Risks, and its Effects on Devices
- Strategies for Safeguarding Online Privacy & Protecting Customer Data
- Trends for 2024: Mobile is the New Target
- Investing in Email Security: Reaping the Benefits & Navigating the Challenges
- How Can Information Assurance Help Secure Sensitive Data?
- The Cloud and Data Loss: How to Protect Your Organization's Critical Data
- Identity Verification in a Data Privacy-Conscious World: The Future of Digital Security
- A Student’s Perspective on Phishing Scams in Universities
- Integrating Best IAC Security Practices into Your Pipeline
- Are Employees the Weakest Link in Your Email Security Strategy?