Mitiga says that MFA, even if configured incorrectly, is not a panacea for preventing attackers from exploiting compromised credentials.
Multi-factor authentication (MFA) is often cited as one of the best security methods available to secure sensitive accounts and credentials. Even if the password is leaked or stolen, the hackers cannot use it to log into the account without that second form of authentication. But to be effective, MFA must be configured properly and securely; otherwise, a smart cybercriminal can find ways to get around it.
A report released Wednesday, Aug. 24, by security consultancy Mitiga looks at a recent corporate email compromise campaign against an organization that uses Microsoft 365. According to Mitiga, the attackers were able to gain access to sensitive information by using weak default configurations in Microsoft’s multi-factor authentication. While the people in the targeted organization have been able to prevent fraudulent activity, the incident serves as a warning sign of MFA’s improper design.
In this attack, cybercriminals gained unauthorized access to an executive’s Microsoft 365 account in an organization from multiple locations, including Singapore; Dubai; and San Jose, California.
The attackers were able to compromise the user’s account and mailbox through a opponent-in-the-middle (AiTM) tactics. Using an AiTM trick, an attacker creates a proxy server between the victim and the accessed website, allowing them to capture the target’s passwords and browser session cookies.
To protect the victim’s account, the organization had implemented Microsoft MFA through the Microsoft Authenticator app, which should have stopped any use of stolen credentials. Upon further analysis, Mitiga discovered that a second Authenticator app had been set up without the victim’s knowledge, giving the attackers the means to continue using the hacked account.
Microsoft MFA does not always require a second form of authentication
The problem, according to Mitiga, lies in the weak default settings for Microsoft MFA. This technology works by deciding when that second form of authentication is required, such as in cases where someone is trying to access resources from a different IP address, request elevated administrator privileges, or attempt to retrieve sensitive data.
By analyzing the token in an active login session, Microsoft MFA determines whether the session was previously authorized. Then the second form of authentication is not required. But this decision is made solely by the Microsoft authentication engine; customers cannot configure it themselves, according to Mitiga.
The report cited two examples where a decision by Microsoft MFA not to require the second form of authentication could be problematic.
An example concerns the Privileged Identity Management (PIM) feature, which allows administrative users to work with non-administrator privileges and then use the PIM tool to increase their permissions if and when needed. In this case, an attacker could use PIM to elevate a compromised non-administrator account to one with administrative privileges.
In another example, Microsoft does not require a second form of authentication when accessing and changing user authentication methods in the Security Info section of the account profile. A user who was previously authorized in a session can add a new Authenticator app without being challenged. This is how the attacker in the incident cited by Mitiga was able to continue using the compromised account.
“Given the accelerated growth of AiTM attacks (even without the persistence an attacker allows by adding a new compromised authentication method), it is clear that we can no longer rely on multi-factor authentication as our main line of defense against identity attacks” , Mitiga said in the report. “We strongly recommend setting up another layer of defense, in the form of a third factor, linked to a physical device or to the employee’s authorized laptop and phone.
“Microsoft 365 offers this as part of Conditional Access by adding a requirement to only authenticate through a registered and compatible device, which would completely prevent AiTM attacks.”
Tips for preventing AiTM attacks that exploit MFA
In a statement to TechRepublic, a Microsoft spokesperson also made recommendations about stopping AiTM attacks that can abuse multi-factor authentication.
“AitM phishing is important to be aware of and we encourage users to practice good computer habits online, including caution when clicking on links to web pages, opening unknown files or accepting file transfers,” the spokesperson said. “We recommend that customers use Azure AD Conditional Access to set specific rules for permitted risk levels, locations, device compliance, and other requirements to prevent malicious registration of new funds.
“Where possible, we also recommend using phishing-resistant credentials such as Windows Hello or FIDO. To help protect customers from these types of attacks, Authenticator provides context information to warn the user that their location is unknown or that the app is not the app they expect.”
Further advice comes from Aaron Turner, CTO for SaaS Protect at cybersecurity firm Vectra. Turner noted that the target organization described by Mitiga used a relatively weak default configuration in Microsoft 365, claiming that while Microsoft offers a solution to stop AiTM attacks, it is a solution that needs to be strengthened.
To that end, organizations must follow these three guidelines:
- Make sure that the Self-Service Password Reset requires two authentication factors to reset account passwords.
- Allow Microsoft Authenticator to be installed only through a Mobile Application Management or Mobile Device Management control set through Microsoft Intune.
- Set Conditional Access policies to only allow Microsoft Authenticator to work from managed applications or managed devices.
“This combination of controls would have protected the victim organization in this case,” Turner added. “We’ve found that even these controls can be circumvented by nation-state actors, so investing in appropriate detection and response capabilities is critical to reducing the risk opportunities created by sophisticated attackers.”
