How Cybercriminals are Bypassing 2FA in Email Accounts

How Cybercriminals are Bypassing Two-Factor Authentication (2FA) in Email Accounts

September 15, 2023 / in Blog / by Zafar Khan, RPost CEO

How Cybercriminals are Foiling Today’s 2FA for Email Accounts.

Dr. Suess created that grey fuzzy-haired creature many years ago, the Grinch, who stole Christmas. While not quite as cute and fuzzy as the Grinch, today’s cybercriminals are posing as a similar sounding nefarious activity, the Glitch.

Here’s how cybercriminals are foiling today’s 2FA (two factor user log-in authentication) for email to gain access to your email account. (Note, there are a variety of iterations – below is a shortened version of one recently reported by our customers).

  1. The cybercriminal sends email to staff cleverly constructing content that lures a user to click a link to log into their Microsoft Office (or Google) email account.
  2. The email user on staff clicks the link and the link is configured to open a Microsoft log-in page (an authentic one) seemingly invisibly running remotely on the cybercriminal’s computer.
  3. The user goes through all their Microsoft two factor authentication processes to login.
  4. Technically, the successful login creates a unique authentication token, which is captured by the cybercriminal.
  5. The cybercriminal then closes the user’s session --- and makes it look like it closed out due to a harmless GLITCH, the type we all see that causes web browser to crash or close.
  6. The cybercriminal then uses this captured token to log into the user’s account on the cybercriminal’s computer, and quickly creates a mail forwarding rule deep in their settings so that incoming email to the user’s account is routed to the cybercriminal’s computer.
  7. [Here’s a mouthful, stay focused…] The cybercriminal starts to eavesdrop on the user’s email (programmatically or as a human) and when they see (or filter) an invoice or other transaction related document that contains payment information, they copy it, modify the bank information replacing the true payment details with very similar looking cybercriminal details, and route a copy of the modified invoice to the user using a lookalike domain of the invoice originator in a way that the user pays attention to the second, modified invoice.
  8. The user submits the modified invoice to their payables department.
  9. The user’s company pays the fake invoice.
  10. The Glitch (aka Grinch) has now stolen Christmas.

What makes this even trickier, there are many iterations of the above that cybercriminals employ --- tactics that are even too confusing to explain to people, let alone train people to watch for.

What to do?

Well, we know what does work --- RMail PRE-Crime Email Eavesdropping™ detection service and RMail Lookalike Domain™ alerts will pre-empt this type of cybercrime before the steal. These can easily be installed into one’s Microsoft Outlook or connected to one’s email gateway.

Let us know if you’d like more information on these PRE-Crime services by RPost. Contact RPost here.