How attackers use and abuse Microsoft MFA

 For many years, Microsoft has pushed for the adoption of multi-factor authentication (MFA) to thwart intruders.

Threat actors, however, are keeping up with the growing enterprise usage of MFA and are consistently developing ways to evade the added security it provides.

Also Read:Click here

Attacks including SIM swapping, vulnerability exploitation, rogue apps, antiquated authentication protocols.

MFA prompt bombing (also known as MFA weariness), stolen session cookies, and (custom) phishing kits with MFA-bypassing functionality have already been observed.

Researchers from Mandiant and Mitiga have more recently described various methods through which attackers might (mis)use Microsoft MFA to their advantage.

Attackers take over dormant Microsoft accounts and set up MFA

APT29 (also known as Cozy Bear or Nobelium) and other threat actors have developed a new strategy that involves taking advantage of the MFA self-enrollment process in Azure Active Directory and other systems.

According to Douglas Bienstock, an IR manager at Mandiant, who released it last week.

Most businesses and platforms that use MFA let customers enrol their first MFA device during the subsequent login. 

Because only the proper username and password are required for that, an attacker who knows these can enter the account and disable MFA.

In one instance, APT29 used a list of mailboxes they had acquired through shady ways to launch a password guessing attack.

 

The malicious party was able to figure out the password for an account that had been created but never used.

APT29 was prompted to sign up for MFA by Azure AD because the account was inactive. 

Once enrolled, APT29 had access to the organization's VPN infrastructure, which used Azure AD for authentication and MFA, according to Bienstock.

Mandiant advises businesses to check that every active account has at least one MFA device registered, and to collaborate with their platform provider to add more verification steps to the MFA registration procedure.

Organizations can choose to require MFA for enrollment and issue Temporary Access Passes to employees when they first join or if they lose their MFA device using Conditional Access on Microsoft Azure AD, he continued.

Organizations can also use Conditional Access to limit the registration of MFA devices to only trusted locations or trusted devices.

Attackers set up a second Authenticator app for compromised accounts

Microsoft recently became aware of a phishing campaign that targeted Office 365 (i.e., Microsoft 365) users and was able to get beyond the MFA protections put in place by employing phishing websites and proxy servers to collect users' passwords and session cookies.

But that wasn't all, as Mitiga incident responders discovered that the attackers had set up a second Authenticator app for the hijacked account, giving them unlimited access to it.

It's doubtful that the legitimate account owner of a hijacked account will notice that a second MFA app has been added.

It is only evident if one looks for it specifically. One can see it if they visit the M365 security site, although the majority of people never do.

 

It is where you can switch your authenticator app or update your password without being prompted. 

People only alter their passwords routinely when prompted to do so or when they switch phones and need to transfer their authenticator software, according to Mitiga CTO Ofer Maor, speaking to Help Net Security.

Additionally, the legitimate account owner may not notice or choose to ignore an isolated, random request for the second authentication factor that is prompted by the attacker.

"They receive a prompt, but it vanishes after the attacker authenticates on the other authenticator. 

To warn the user of the danger, there is no popup or other notification that says "this request has been granted by another device" (or anything similar). 

Of course, if the user is not paying attention to their phone when the prompt is given, it will probably disappear from their notification history, according to Maor.

"When we looked into it, the user eventually remembered being prompted once, but when they opened the app, nothing was there" (because by that time the attacker had already approved on their phone). However, they didn't focus much on it.

Additionally, he made note of how most users do not fully comprehend the MFA process or have the knowledge to pay attention to it, especially given how many things computers "don't grasp."

He continued that the issue here was that Microsoft did not demand a new MFA challenge for accessing and switching user authentication methods.

This indicates that it is possible to generate persistency using this technique once an account has been compromised, 

even for a very little time, allowing an attacker to reauthenticate using MFA when the session expires or is cancelled. 

It is crucial to remember that using this strategy will still allow the attacker to create even if an organisation strictly enforces a one-day MFA expiration duration.

In order to increase security and make deployment for our administrators even simpler, Microsoft has announced additional capabilities for Microsoft Authenticator for corporate users.

The new features include:

• With number matching and more context, administrators can now stop Microsoft Authenticator from accidentally approving transactions (Public Preview).
• 
  
• Microsoft Authenticator now allows administrators to set up Conditional Access settings based on GPS location (GA).
• 
  
• With the help of the Registration Campaign feature, administrators may now remind users to set up Microsoft Authenticator when they log in (GA).

Number matching in Microsoft Authenticator MFA experience (Public Preview)

• Admins can mandate that users input the number shown on the sign-in screen when authorising an MFA request in Authenticator in order to boost security and decrease unintentional approvals.
• Click here to find out how to enable number matching.

Additional context in Microsoft Authenticator approval requests (Public Preview)

Displaying more context in Authenticator notifications for users is another option to cut down on unintentional approvals. 

Based on IP address, this functionality will display to users whatever programme they are logging into as well as their sign-in location.

GPS-based Named Locations (Generally Available)

By utilising the GPS signal from the Microsoft Authenticator, administrators can now limit resource access to the borders of a certain nation using Conditional Access restrictions.

When signing in, users who have this feature enabled will be asked to disclose their GPS position using the Microsoft Authenticator app. 

Microsoft Authenticator will not allow authentication if the smartphone is jailbroken or rooted in order to protect the accuracy of the GPS location.

Microsoft Authenticator Registration Campaign (Generally Available)

You can now encourage consumers to set up Authenticator and migrate away from less secure telephony techniques by using the Microsoft Authenticator Registration Campaign. 

Users who have enabled Microsoft Authenticator but haven't set it up are the focus of the functionality. 

After successfully completing an MFA sign-in, users are prompted to set up Authenticator, and after completing the setup process, the default authentication method is changed to the Microsoft Authenticator app.

• Click here to find out how to enable a registration campaign.
• 
  
• Administrators are urged to test out these Microsoft Authenticator security updates and offer feedback at aka.ms/AzureADFeedback.