Session Hijacking MS 365 account on Mac via only malicious website?

on

I'm pulling my hair out trying to figure out how this happened....

TLDR: The question that I have is: Is there something out there able to hijack a browser session by just visiting a malicious website? (Without installing any software or browser extensions)

Here's what's prompting this question:

The Situation

End User is using MacOS 13.4.1 and checks mail on his iPhone.

End user uses Mac Mail to access email.

Their MS 365 tenant has Security Defaults enabled and the user has MFA Enforced with Text Message method.

Today, a phishing message left the tenant as the end user. It's an accurately branded Adobe Document cloud link, with a link to a PDF hosted on Adobe Cloud, the Adobe Cloud is hosting a PDF with an image of the email which links to a newly minted phishing page hosted on AWS (with the end user's company name as the subfolder and .html file name). It looks like a pretty convincing phishing page too.

I double check MFA is enabled: It is

According to End User:

  • Nothing strange has happened in the last few days, except accidentally clicking on a link on Facebook that brought them to a male enhancement site. (I confirmed in the browser history, it looked like just a typical scam PE miracle pill site, linked straight from Facebook)
  • Didn't receive any MFA requests
  • Didn't get any prompts to type in Mac user password
  • Didn't get any prompts to enter email password recently
  • The email password is hard to guess, and not reused. I confirmed, it would be a hard to guess password and they insisted they don't re-use.

I ran a virus scan (Trend Micro WFBS Services Agent) - Nothing of note. (This software wasn't running on the system, it is now)

Checked AzureAD Sign-in logs:

The 1st suspicious sign-in is from across the country 2 days ago. The first sign in shows "MFA requirement satisfied by claim in the token"

I tried searching for the associated Unique token identifier, but that was the only entry with that ID within a 7-day period. (I'm not sure if this means anything, I don't know if those are generated with each token auth)

It looks like the attacker then setup their own MFA method of TOTP, so they could handle their own login attempts.

Then the attacker did the typical setup a mail rule, and send out a phishing message routine.

The Questions

  • Is there a possibility of a website that can session hijack without infecting a system?
  • If not, is there anything else I might be missing as the attack vector?

A Shot-In-The-Dark

Something else rattling around in my mind is that their Apple account could be compromised.

Perhaps having Safari sync between devices might carry the active MS session token with it. I'm just guessing, I haven't tested.

TIA for any help / suggestions.

submitted by /u/iamith
[link] [comments]

from hacking: security in practice https://ift.tt/jHl7F8d

Comments

Post a Comment