Mitiga: Attackers evade Microsoft MFA to lurk inside M365
During an incident response investigation, Mitiga discovered attackers were able to create a second authenticator with no multifactor authentication requirements.
Threat actors discovered a technique to bypass Microsoft's multifactor authentication to maintain persistence in the M365 environment with the goal of intercepting any substantial transactions.
In a blog post Wednesday, cloud incident response vendor Mitiga detailed an investigation it did into an attempted business email compromise (BEC) attack on a multimillion-dollar transaction. During the incident response, Mitiga discovered unauthorized access to the Microsoft 365 (M365) user of an executive in the organization. While many steps aligned with previously observed tactics, there was one new aspect of the attack that led the vendor to question how Microsoft's MFA works by design.
Following an adversary-in-the-middle (AiTM) phishing technique to gain initial access, attackers were able to add a new authenticator on the compromised account that allowed them to maintain extended access. The second authenticator was set up without alerting the user.
Normally, a session will be invalidated after a few days, requiring users to do MFA again. However, Ofer Maor, chief technology officer and co-founder of Mitiga, told TechTarget Editorial that to pull off high-end BEC, attackers require a way to keep M365 access for weeks.
While Microsoft's security measures worked as designed, the attackers uncovered a way to circumvent them.
Initially, Mitiga was unsure how the new authenticator was created. While a vulnerability was one possibility, further investigation revealed a technique the vendor had not seen until now.
"We realized it's by design how Microsoft works," Maor said. "If you have a valid session, you can create a new authenticator without it asking you to do the MFA again, which is really bad practice and being exploited here."
Microsoft declined comment.
When new authenticators are created, most vendors, such as Google, require MFA verification. Maor said in this case, because the MFA verification is done within another component Microsoft refers to as conditional access, it trusts the user. If the conditional access feature verified when the user logged on a week prior, the session remains valid.
"The second most surprising example of this, which is at the heart of this attack, is that Microsoft does not require an MFA re-challenge for accessing and changing user authentication methods in the Security Info section of the account profile," Mitiga wrote in the blog entry.
Therefore, once the phishing attempt is successful, actors can just add the authenticator and then own the account forever, Maor said.
Not only did the investigation reveal a new technique, it also highlighted just how sophisticated AiTM phishing techniques have become. In this case, attackers sent emails that appeared to come from DocuSign. High-phishing awareness may not even prevent these types of attacks, which Maor said have been taken to a whole different level.
For one, AiTM was designed to allow phishing even if two-factor authentication is enabled, by taking the user to a site that in real time proxies the log-in request, then proxies the MFA details. This allows the attacker to get a validated session.
"Basically, you think you're logging in to Microsoft, but you're logging in to a fake site and at the same time, the fake site is logging in to Microsoft," Maor said.
There's new open source technology frameworks that attackers can download that make these phishing attempts appear perfect, he said. Because of these new technologies, Maor said MFA is becoming less effective against phishing.
When MFA first came out, the industry was aware these proxy-type attacks could happen, but they were not used.
"It was way more complicated than a normal phishing attack, and there was no reason to do it because almost no one had MFA," Maor said.
However, there has been a huge uptick over the past two years, as organizations adopt MFA due to new cyber insurance and vendor requirements. As with any new defense, attackers will look for a way around it.
Within the next couple of years, Maor said the efficacy of MFA as a measure against phishing will be nearly wiped out.
"Organizations that want to stay ahead of the curve will have to enact 3FA [three-factor authentication] and add another factor, such as a hardware device. Something that validates there's no man in the middle there," he said.