Attackers Discover Technique to Bypass Microsoft’s MFA to Prowl Inside M365

What Happened?

While investigating an attempted business email compromise attack for a large business, cloud incident response vendor Mitiga found that bad actors had gained unauthorized access to an executive’s Microsoft 365 account. This raised many questions about how a bad actor was able to break through Microsoft’s MFA (multi-factor authentication) without the user being aware.  

After further investigation, it was found that it involved a multi-step process that begin through the use of an “adversary in the middle” or “man-in-the-middle” phishing attack. By secretly intercepting a communication between a web or mobile device/app and a receiving party, the hackers were able to gain entry to the account and add a new authenticator without ever alerting the user. This authenticator allowed them full access without needing to perform MFA again, ensuring that the hacker could have complete access to the account whenever necessary. According to Ofer Maor, the Chief Technology Officer and Co-Founder of Mitigia, this was able to be accomplished because Microsoft allows new authenticators to be added as long as there is a valid session. This means that all a bad actor needs is a small window into an account to add their authenticator and maintain full access. 

Who are the Victims?

While only one company was investigated in this report, Mitiga warns that without adding further security to Microsoft accounts, this problem will continue, and more and more people will become victims. With full access to an organization’s data, bad actors can cause reputational or financial harm that can cost companies millions of dollars. Patching this security hole is incredibly important for any company that is only relying on MFA to secure their accounts. 

Could Eclypses MTE Technology Prevent this?

From recent attacks, it proves how difficult it is to set up all the pieces of security and have these systems work together correctly. Whether it’s an MFA attack, zero-day attack, or any other common cyber threats out there, it is important to focus on securing the data at the application level. Eclypses MTE technology allows you to control your customer data and stop trusting things you do not control, like third-party providers.  

With Eclypses MTE SDR (secure data replacement) technology, it would secure the session cookie that was taken in the initial “slippery phish” attack. 

Eclypses MTE Web toolkit is a solution that is deployed through a web browser without plug-ins or disruption to the user experience. MTE Web protects against vulnerabilities such as replay attacks, Wi-Fi eavesdropping, spoofing (IP spoofing, DNS spoofing, HTTPS spoofing), and hijacking (SSL hijacking, session/browser cookie hijacking, email hijacking). 

Source: TechTarget