For many Microsoft customers, basic 2FA (2-factor authentication) is being made more secure. Rather than simply sending a code via text or email, Microsoft is asking customers to use the Authenticator app.
2FA or MFA (2-factor or multifactor authentication) requires that a user provide 2 or more forms of “identification” when they login to a service. The claim is that the human user matches the User ID provided, and the first form of proof of identity is typically the password.
The second form of proof, the second factor, is often a secret code which is sent via email or text to the user. But Microsoft knows that email addresses and telephone numbers can be compromised or spoofed, so the more reliable Authenticator app is now the default.
Authenticators are installed on a user device and the user’s account is added for the service they wish to validate authentication for. When the user logs in to that service, a push notification is sent to the device using the internal mechanisms of the authenticator, not via the public phone network, SMS or email. Where the bad guys may be able to get hold of a phone number or an email address, they must have access to the actual device in an unlocked state in order to get the authenticator code.
Now, with Microsoft’s enforcement of authenticator use, attackers are looking for ways to intercept your password when you think you’re being asked to set up or validate authenticator.
Authenticator setups are often completed using a QR Code, which is a two-dimensional barcode that stores data in a grid of black and white squares.
The “QR” stands for “Quick Response” and these codes are often used in marketing and advertising campaigns as a way to drive traffic to a website or service.
QR codes can be scanned with a smartphone camera or app, directing the device to open a website or take some other action. The hackers are very aware of current events like the Microsoft announcement, and will use that information to find a way in.
In the case of this phishing email campaign, the URL embedded in the QR code takes the user to a web page where it wants the user to “re-authenticate”, which means they want you to freely give them your password on their fake/spoofed Microsoft website.
The point of all this is that hackers, phishers and malicious bad actors are using any means available to trick you into giving them your password and access to your systems.
The Noobeh cloud services team cannot stress enough that you need to have a healthy dose of paranoia to keep your systems safe while working online. Mouse-over all hyperlinks so you can see where they really go (if it’s legit, then don’t click the link, just type it directly in the browser), don’t open unexpected attachments (even from friendly senders), and never scan a QR code you didn’t ask for.
Mike, the IT guy
NOOBEH cloud tech