This client story is a little bit different from our usual ones. Because in this one, we do not mention our client at all. Why?

Well, we’re going to share a story about a recent cyber breach we saw involving multi-factor authentication (MFA). This is so you can learn how to protect yourself and your business from a similar attack. And we want to do so whilst maintaining the privacy of our client.

Read about the breach, our solution to it, and how you can protect yourself below:

I would like to express both the firms and my thanks and admiration for your handling of the events that unfolded today. You assisted in rectifying what was approaching a business-critical situation with professionalism and patience. Today’s events re-in forced the firms decision to use Breakwater as our IT supplier. A credit to you all.
Company B

Challenge

A hacker impersonating Company A, emails Company B an information pack. A user at Company B clicks to download it.

The user was asked to insert their email account password for the download. They do so.

Instead of downloading an information pack, the hackers were able to steal the user’s browser cookies.🍪 This includes the ‘this browser is safe’ cookie to bypass MFA.

With the password, and the ability to bypass MFA, the hackers were able to access the users account, and cause further disruption through impersonation emails internally.

An internal payment request was made from the user, along with a fake invoice for £21,000 for a ‘retainer’. The recipient went to make the payment, but stopped when they realised the bank details did not match.

The recipient responded to the user, but the hacker wrote back, continuing to impersonate the user at Company B.

At this point, the recipient was concerned by the information, and raised the request higher up in the company. They then raised a ticket with our engineers here at Breakwater to investigate.

Solution

Once the ticket was received, our team got straight to work on remediating the main account and resetting all employee passwords.

We then reviewed all the logs for suspicious activity to ensure no other logins were compromised.🔍

However, further phishing attempts were found, including additional emails from hackers impersonating Company A.

To solve this, we implemented conditional access policies. This means that users can only access specific data from specified locations or devices.

Result

Enabling conditional access policies means that the client data can only be accessed from specific locations and devices, blocking anyone who tries from further afield, or on an unknown device.

Stealing browser cookies to bypass MFA is increasing rapidly. So how can you avoid this?

  • Keep using MFA – but switch to number matching (read more).
  • Stop marking browsers as safe to bypass entering MFA each time.
  • Enable conditional access policies to lock down access to your data from specific locations or devices.
  • Adopt a zero trust approach. If you weren’t expecting the email, the call, the SMS, don’t respond or action it.

And if you need any help with this, we’re just a phone call or email away👋

Cyber Stories
Using browser cookies to bypass multi-factor authentication.
Read more
Dardan Security Guard
Dardan Security
Retiring an ageing server and moving to the cloud.
Read more
East Anglian Air Ambulance Helicopter with four crew members
East Anglian Air Ambulance
Replacing traditional antivirus with endpoint detection response (EDR).
Read more