Microsoft's security team has just identified a large-scale phishing campaign that is only successful against businesses that lack MFA authentication.
This multi-stage operation was first observed by Microsoft in Asian-Pacific (APAC) countries. They discovered individuals in Indonesia, Singapore, Thailand and Australia who had their credentials stolen by DocuSign scams that utilised a fake Office 365 login.
After these credentials were stolen, the campaign used them to register their own devices on the target network, taking advantage of the growing popularity of using personal devices for work. Once they did this, the scammers then grew their presence on the network and spread the attack further.
Multi-Factor Authentication, Microsoft has stressed, is the key to stopping scams of this type. This means a lot coming from the company, considering that since 2020 they have been one of the most impersonated companies in phishing scams. MFA prevents attackers from simply accessing devices and networks through stolen credentials alone.
Attacks like this prove that having multiple levels of security is essential. Having a password as the only protection your account has against hackers simply isn't enough.
This is especially true when we consider that password hygiene amongst the public is by and large abysmal. Behaviours that make a user vulnerable to attackers, like using easy-to-guess passwords for many accounts, are widespread.
You may suffer from these behaviours yourself, which is why we recommend you take our quick five-minute quiz to hear the truth about your habits.
While this isn't to say we should abandon passwords completely, we shouldn't be relying entirely on them for our security, meaning other forms of authentication are critical.
The Microsoft 365 Defender Threat Intelligence Team agree. They have publicly stressed that:
"Attackers use a variety of strategies to target organisational difficulties such as hybrid work, human error, and shadow IT, or unmanaged apps, services, devices, and other infrastructure that operates outside of regular policies."
For this reason, organisations should ensure they are using a multitude of security approaches to keep their devices secure. Especially as the potential attack surface of businesses grow with more and more people working from home, on their own devices and their networks.
In addition to this, phishing attacks are growing more innovative and sophisticated. Gone are the days when all you needed to look out for was a few crudely worded emails in your inbox.
You need to be conscious, especially if money or private data is involved in an email discussion, of the content, context and sender of a message. Sometimes all it takes is for you to click on one link or open one attachment, to have malware infiltrate your system.
Scams like this highlight the extent to which all organisations need to have MFA as a matter of policy.
It should be a technical requirement for new users creating an account to have MFA installed. Properly implemented it can also make revoking access when people leave much easier to manage.
MFA is not an added security bonus that garnishes your policies on passwords, logins and accounts. It is absolutely essential for any organisation that wants to keep its data safe when doing business.