Email Security Intelligence - Instagram Credential Phishing Attacks Bypass Microsoft Email Security

In November 2022, 22,000 students at national educational institutions who were victims of a credential attack were targeted by phishing campaigns impersonating Instagram. These attacks bypassed the Microsoft email security system, as the campaigns were not recognized as potential email threats by the native email security controls that Microsoft provides. This credential phishing attack seeks to obtain the victim’s Instagram information to access their accounts entirely. This article will discuss the attack, how it managed to avoid detection, and methods to ensure you have a secure email that faces less risk of becoming a compromised account.

What Is the Anatomy of A Credential Phishing Attack?

Researchers found that these attacks started with spear phishing emails titled "We Noticed an Unusual Login, [user handle]." This phishing attack instills a sense of urgency in the recipient, manipulating them into opening the email and taking action. These attacks impersonated Instagram in the body of the email by acting as the support team in the sender's name, Instagram profile, and email address — the perfectly palatable "This email address is being protected from spambots. You need JavaScript enabled to view it." — all seeming legitimate.

The message alerted users of logins on unrecognized devices in specific locations or a specific operating system. The attackers intended recipients to “secure” email and login credentials by opening a link at the bottom. This led to a fake landing page that the threat actors created to exfiltrate user credentials.

This Instagram message prepared by cybercriminals is a perfect example of email spoofing. Mimicking the logo and text in the right font makes it all the more challenging for machines and people to pick up on this type of phishing attack without prior knowledge of its existence.

Bypassing Email Filters

Two-factor authentication (2FA) can be used as an added security step requiring people to enter a code sent to their phone or email before being fully logged in, working to keep usernames and passwords safe from any type of phishing attack. However, experts recently demonstrated an automated phishing email attack that can bypass additional layers of email security, potentially convincing unsuspecting users to share their private credentials.

The hack employs two tools to automate the attacks: Muraena and NecroBrowser. Muraena intercepts traffic and redirects a user to the target website. Once Muraena has the victim on a phony site, users will be asked to enter their login credentials and 2FA code. Once the Muraena authenticates the session’s cookie, it is passed along to NecroBrowser, which creates windows to keep track of the private, compromised accounts of tens of thousands of victims.

While attacks against 2FA have taken place in past years, these tools make these phishing email attacks more straightforward to execute for less skilled cyber criminals. 2FA, however, is still considered one of the best practices for email security that is easy to implement and better than simply relying on a username and strong password.

Cyberattacks evolve just as cybersecurity measures advance. New phishing attacks like Zero-Click and Man-in-the-Middle don’t require anything from victims to instigate email security breaches, and they are highly sophisticated, effective, and dangerous. As a result, more secure forms of cyber and email security are being used to replace 2FA slowly, including facial recognition, biometrics, rotating keys, and password-less accounts.

Methods for Bypassing Security

In October 2022, a phishing email attack, allegedly from LinkedIn, targeted a travel organization, attempting to steal their credentials on social media platforms with the subject line "We noticed some unusual activity.” These phishing campaigns slipped past Google's email security controls after getting past SPF and DMARC email authentication checks.

Hackers use specific methods to bypass two-factor authentication, including:

  • Social Engineering: Social engineering involves tricking a victim into revealing privileged information that can be leveraged in a cyber attack. This attack method is most commonly used when the attacker has already compromised a victim’s username and password and needs to bypass additional authentication factors.
  • Consent Phishing: Open Authorization (OAuth) requests limited access to a user's account data. With consent phishing, hackers can pose as legitimate OAuth login pages and request whichever level of access they need from a user. The hacker can bypass any MFA verification if granted these permissions, potentially enabling a complete account takeover.
  • Brute Force: Hackers use brute force attacks by trying different password combinations until they get a hit. This type of threat successfully bypasses MFA, which relies on basic password combinations as an authentication factor, such as a temporary 4-digit PIN, which is easier to crack than a complex alphanumeric combination. 
  • Exploiting Generated Tokens: Platforms often provide users with manual authentication codes to avoid account lock-outs. If printed out or saved in an unsecured digital location, the cybercriminal could obtain this list through physical theft or exploiting poor data loss prevention email security practices to access it, leaving the victim’s email address compromised.
  • Session Hijacking: A cybercriminal can steal cookies by compromising a user’s login session through a Man-in-the-Middle attack. Session cookies play an essential role in UX on web services, and hijacking them has proven to be less complicated than victims think.
  • SIM Hacking: SIM hacking occurs when a hacker compromises a victim's phone number by gaining unauthorized access to their SIM card. Standard techniques include SIM swapping, SIM cloning, and SIM jacking.

How Can I Protect Against Instagram Credential Phishing Attacks?

To stay safe from phishing campaigns, you should always carefully analyze a suspicious email before interacting with any links in the body. Look for spelling, grammar, and capitalization errors and look up a company’s official support email to verify the address. Check Instagram and other social media platforms to see your recent login activity instead of taking urgent emails in your inbox at face value. Consider enabling Multi-Factor Authentication (MFA) for your Instagram and other social media accounts, as a hacker will need your password and smartphone to log in to your account. 

Organizations should also augment built-in email security with layers that take a materially different approach to email security threats and detection. Employees should be trained to identify social engineering cues that are becoming more common in phishing campaigns rather than quickly executing the requested actions in an email.

With proper preparation, you can drastically lower the cost and impact of any phishing attack. Implementing even stronger practices can reduce an organization’s exposure to email threats and minimize potential damage. To achieve this, additional layers of email security are necessary. You can use proactive email protection accompanied by expert, ongoing system monitoring, maintenance, and support, which must anticipate and learn from emerging attacks while offering real-time cyber security business insights to improve decision-making and email security policy enforcement.

Keep Learning About Email and Cyber Threat Protection 

In the modern digital landscape, threats are everywhere, even on social media. Implementing comprehensive email security software with threat protection systems can help prevent advanced email threats, such as targeted spear phishing emails and malware ransomware.

Must Read Blog Posts

Phishing Is Evolving

Are Your Current Email Defenses Falling Behind?

Get the Guide

Latest Blog Articles

Get Your Guide