Clever phishing method bypasses MFA using Microsoft WebView2 apps

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim's authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts.

With the large number of data breaches, remote access trojan attacks, and phishing campaigns, stolen login credentials have become abundant.

However, the increasing adoption of multi-factor authentication (MFA) has made it difficult to use these stolen credentials unless the threat actor also has access to the target's one-time MFA passcodes or security keys.

This has led to threat actors and researchers coming up with new ways of bypassing MFA, including zero-day website vulnerabilities, reverse proxies, and clever techniques, such as the Browser in the Browser attack and utilizing VNC to display remote browsers locally.

This week, cybersecurity researcher mr.d0x has created a new phishing method that uses Microsoft Edge WebView2 applications to easily steal a user's authentication cookies and log into stolen accounts, even if they are secured with MFA.
 

rain2reign

Level 8
Verified
Well-known
Jun 21, 2020
363
Unless i am misunderstanding something here, isnt this just plain webview in-app browser control only desktop-variant. The application that uses the webview must still be launched by the user don't it? How is this actually special?

Granted iOS and Android also use webview within applications.
 
  • Like
Reactions: Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Unless i am misunderstanding something here, isnt this just plain webview in-app browser control only desktop-variant. The application that uses the webview must still be launched by the user don't it? How is this actually special?

Granted iOS and Android also use webview within applications.
Correct:
However, as mr.d0x admits and Microsoft pointed out in their response to our questions, this attack is a social engineering attack and requires a user to run a malicious executable.

"This social engineering technique requires an attacker to convince a user to download and run a malicious application," Microsoft told BleepingComputer in a statement regarding this new technique.

"We recommend users practice safe computing habits, avoid running or installing applications from unknown or untrusted sources, and keep Microsoft Defender (or other anti-malware software) running and up-to-date."

Therefore, getting someone to run an application in the first place may take additional work.

With that said, history has shown us that many people "just run things" without thinking about the ramifications, whether that be email attachments, random downloads off the Internet, cracks and warez, and game cheats.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top