How attackers use and abuse Microsoft MFA
Microsoft has been pushing for the use of multi-factor authentication (MFA) to thwart attackers for many years.
But threat actors are keeping up with the increasing enterprise adoption of MFA and are constantly coming up with ways to bypass the additional protection it offers.
We have already seen attacks involving SIM swapping, exploitation of vulnerabilities, rogue apps, legacy authentication protocols, MFA prompt bombing (aka MFA fatigue), stolen session cookies, and (custom) phishing kits with MFA-bypassing capability.
More recently, Mandiant and Mitiga researchers have documented different approaches that allow attackers to (mis)use Microsoft MFA to their advantage.
Attackers take over dormant Microsoft accounts and set up MFA
Douglas Bienstock, an IR manager at Mandiant, shared last week a new tactic by APT29 (aka Cozy Bear, aka Nobelium) and other threat actors that involves taking advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms.
When implementing MFA, most organizations and platforms allow users to enroll their first MFA device at the next login. To do that, the user must only have the correct username and password, which means that an attacker who has that knowledge can access the account and set up MFA for it.
“In one instance, APT29 conducted a password guessing attack against a list of mailboxes they had obtained through unknown means. The threat actor successfully guessed the password to an account that had been setup, but never used. Because the account was dormant, Azure AD prompted APT29 to enroll in MFA. Once enrolled, APT29 was able to use the account to access the organization’s’ VPN infrastructure that was using Azure AD for authentication and MFA,” Bienstock explained.
Mandiant recommends that organizations ensure all active accounts have at least one MFA device enrolled and work with their platform vendor to add additional verifications to the MFA enrollment process.
On Microsoft Azure AD, organizations can use Conditional Access to restrict the registration of MFA devices to only trusted locations or trusted devices, he added, and they can choose to require MFA to enroll MFA and issue Temporary Access Passes to employees when they first join or if they lose their MFA device.
Attackers set up a second Authenticator app for compromised accounts
In a phishing campaign recently spotted by Microsoft, BEC scammers targeted Office 365 (i.e., Microsoft 365) users and successfully bypassed the MFA set up to protect the accounts by using proxy servers and phishing websites to steal users’ password and session cookie.
But that was apparently not all: Mitiga incident responders have also found that the attackers set up a second Authenticator app for the compromised account so they could access the account whenever they wanted.
The legitimate owner of a thusly compromised account is unlikely to spot that the second MFA app has been added.
“It is only obvious if one specifically looks for it. If one goes to the M365 security portal, they will see it; but most users never go to that place. It is where you can change your password without being prompted for it, or change an authenticator app. In day-to-day use, people only change passwords when mandated through the prompt, or when they change their phone and want to move their authenticator app,” Mitiga CTO Ofer Maor told Help Net Security.
Also, an isolated, random prompt for the second authentication factor triggered by the attacker can easily not be seen or ignored by the legitimate account owner.
“They get prompted, but once the attacker authenticates on the other authenticator, that prompt disappears. There is no popup or anything that says ‘this request has been approved by another device’ (or something of that sort) to alert the user of the risk. Of course, the notification of the prompt on their phone may remain in the notification history, but if done when the user is not paying attention to their phone, it is likely to go away,” Maor noted.
“When we investigated it, the user eventually remembered that there was one time they were prompted, but then got into the app and there was nothing there (because by that time the attacker had already approved on their phone). They didn’t pay much attention to it though.”
He also pointed out that most users do not thoroughly understand the whole MFA mechanism or have the awareness to pay attention to it, especially as computers do a lot of things they “don’t understand”.
The problem here was that Microsoft does not require an MFA re-challenge for accessing and changing user authentication methods, he added.
“This means that once an account has been compromised, even for an extremely short period of time, it is possible to create persistency using this technique, so an attacker can then reauthenticate with MFA when the session expires or is revoked. It is important to note that even if an organization puts a strict MFA expiration time of one day, it will still not prevent creating for the attacker with this technique.”