MFA Bugs Open Doors for Hackers in Microsoft 365
Cases of cyberattacks have been on the rise, with each subsequent attack becoming more sophisticated. Thus, most companies implement various cybersecurity solutions to prevent intruders from getting access to their accounts and protect themselves, such as login authentication.
Using MFA to Authenticate And Verify End Users Identity: In most instances, verification codes are sent to end-users to access it from a physical device. Most high-security websites now provide end-users with a device for this purpose, such as a keypad device that users might use to access their work laptops. In addition to being purposely built for security, they also have the advantage of directly generating the authentication code. It is also common for websites to use a dedicated mobile app, such as Google Authentication for the same reason.
On the other hand, some websites send verification codes to a user’s mobile phone as a text message. While this is technically a method of authentication, it is open to abuse. Since the code is being transmitted via SMS rather than being generated by the mobile device, this creates the potential for the code to be intercepted. There is also a risk of SIM swapping, whereby an attacker fraudulently obtains a SIM card with the victim’s phone number. The attacker would then receive all SMS messages sent to the victim, including the one containing their authentication code.
Can Cybercriminals Bypass Security Measures With Multi-Factor Authentication?
While cybercriminals can obtain single-authentication factors such as passwords, getting other authentication factors is considered unlikely. For this reason, multi-factor authentication is being implemented since it is more secure than single-factor authentication. Multi-factor authentication is used as back-up security to a user’s password if the password is compromised and is meant to protect an account in such a scenario.
According to Microsoft, approximately 99.9% of attacks are blocked by MFA. However, as with any security measure, it is only ever as secure as its implementation. Purely implemented multi-factor authentication can be beaten or even bypassed entirely, just like single-factor authentication can. This is the case with the multi-factor authentication process in Microsoft 365.
How Do Cybercriminals Bypass the Multi-Factor Authentication System in Microsoft 365?
With many companies relying more on cloud-based applications due to the increasing adoption of remote workspaces, multi-factor authentication has become a must-have resource to secure company data from the cyber threats that continue to crop up. Increased reliance on MFA also means that the feature is more attractive to cybercriminals.
Bugs in the multi-factor authentication system used by Microsoft 365 have opened doors to cybercriminals to access cloud-based applications by bypassing the security system. These flaws exist in implementing the WS-Trust specification, a program enabled and used in Microsoft 365, in cloud environments. WS-Trust is an OASIS standard that provides extensions to WS-Security and is used to renew and validate security tokens and broker trust relationships to ensure a secure message-exchange architecture.
Cybercriminals Use Phishing Attacks
Phishing campaigns can bypass multi-factor authentication (MFA) on Office 365 to access victims’ data stored on the cloud. Hackers can then use this data to extort a ransom or even find new victims to target. The attack is different because it attempts to trick users into granting permissions to the application, which can bypass MFA.
Applications that want to access Office 365 data on behalf of an end-user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform. This is where OpenID Connect (OIDC) and OAuth2 come in. The former is used to authenticate the user who will grant access, and if authentication is successful, the latter authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.
Cyberattackers Can Use Rogue Applications to Bypass MFA
Phishers are trying to bypass the multi-factor authentication (MFA) protection on users’ Microsoft 365 accounts. They do this by tricking them into granting permissions to rogue applications. Initially, the attacker doesn’t know the victim’s login credentials, and this tactic allows them to gain access to the victim’s account without using the credentials or the MFA code. After signing in, the user will be asked to confirm that they want to grant the application all those permissions.
The access token the rogue application receives and uses will expire after a while. Still, the application has also been granted permission to obtain refresh tokens, which can be exchanged for new access tokens, meaning that the application will retain access indefinitely. The application also allows attackers to access and modify the contents of the victim’s account.
Cybercriminals Can Use Authentication APIs to Validate Victims’ Office 365 Credentials
If the attackers are successful, they may grab all the victim’s emails and access cloud-hosted documents containing sensitive or confidential company information. Once the attacker has sensitive data, they can use it to extort victims for a ransom. The same permissions may also be used to download the user’s contact list against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.
Despite the use of multi-factor authentication, there have been an increase in Business Email Compromise (BEC) attacks. While modern authentication protocols and MFA are essential advancements in account security. MFA should be used whenever possible; however, many common applications, such as those used by mobile email clients (for example, iOS Mail for iOS 10 and older versions) do not support modern authentication. It is, therefore, important for your company to use updated mobile devices.
Hackers Use Legacy Applications After MFA Blocks Them
A common pattern in the recent surge of these attacks shows that the hacker immediately switches to a legacy application after MFA blocks them. Most credential stuffing campaigns leverage legacy applications like IMAP4 to ensure they do not encounter MFA difficulties during the attacks.
Many company executives think that MFA fully protects them. However, this is not the case. Organizations must add other cybersecurity solutions to mitigate attacks and risks, such as combining MFA and threat visibility to secure cloud environments.
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.
