Home Factor company Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication

Sophisticated BEC Scammers Bypass Microsoft 365 Multi-Factor Authentication


and hackers have developed ways to circumvent multi-factor authentication (MFA) on cloud productivity services like Microsoft 365 (formerly Office 365).

A BEC attack recently analyzed by cloud incident response firm Mitiga used an adversary-in-the-middle (AitM) phishing attack to bypass Microsoft Office 365 MFA and gain access to a business executive’s account, then successfully added a second account authentication device for persistent access. According to the researchers, the campaign they analyzed is generalized and targets large transactions of up to several million dollars each.

Initial access for BEC attack

The attack began with a well-crafted phishing email posing as a notification from DocuSign, a widely used cloud-based electronic document signing service. The email was crafted for the targeted business executive, suggesting the attackers did reconnaissance work. The link in the phishing email led to a website controlled by the attacker which then redirects to a Microsoft 365 single sign-on login page.

This fake login page uses an AitM technique, where attackers run a reverse proxy for two-way authentication requests between the victim and the real Microsoft 365 website. The victim has the same experience as on the real login page. Microsoft login, along with the legitimate MFA request that they must complete using their authenticator app. After the authentication process is successfully completed, the Microsoft service creates a session token that is flagged in its systems as MFA-compliant. The difference is that since the attackers acted as a proxy, they now also have that session token and can use it to access the account.

This reverse proxy technique is not new and has been used for several years to circumvent MFA. In fact, easy to use open source attack frameworks have been created for this purpose.

Secondary authenticator app provides persistence

According to logs analyzed by Mitiga, the attackers used the active session to add a secondary authentication application to the compromised account, giving them persistence even if that session token later expired. Because they had already intercepted user credentials, they now had their own method of generating MFA codes.

“Adding an additional MFA device to an Azure AD user does not require any additional verification, such as MFA reapproval for the session,” the researchers said in their report. “This means the attacker can add an MFA device to the victim’s account even a full week after the session was stolen without invoking any further user interaction, such as a new MFA approval request.”

The researchers believe this to be a design weakness in Microsoft’s authentication system because, in their view, security-sensitive actions such as changing MFA options, including adding a new MFA device, should trigger a new MFA dispute. In fact, it’s not the only sensible action where this doesn’t happen. According to the researchers, using Azure AD’s Privileged Identity Management (PIM) feature, which allows administrators to temporarily elevate their privileges, also does not require MFA challenge.

“PIM is designed so that administrative users can work with non-administrative rights and only elevate their permissions to an administrator using this portal,” the researchers said. “Microsoft however does not allow the customer to require an MFA rechallenge for this activity despite its high risk. This means that even if you have PIM enabled, if the account is compromised, the attacker can become an administrator by going to PIM portal themselves (although, at least in this case, the user will receive a notification that someone has enabled this privilege).”

Another issue highlighted by Mitiga is that customers do not have the ability to configure when a new MFA challenge occurs if they consider the default behavior not strict enough. The best they can do is set the session token timeout to the lowest possible value to limit the window of time the attacker has, but that’s not practical because the attacker has need a few seconds to perform such an action.

In this incident, the attackers used the session token from an IP address in Dubai, a location the victim has never been to or logged in from before. Such a change of location should also prompt a new challenge from the AMF.

“Microsoft Identity Protection identified some of these as risky logins,” the researchers said. “However, unless an organization can withstand some of the false positives generated by Identity Protection, the default behavior is to require an MFA rechallenge, which is not effective at this point because the attacker has already configured the ‘App Authenticator.”

Recognition and hacking of email threads

After gaining access to the executive’s Microsoft 365 account, the attackers began going through his Outlook correspondence and SharePoint files. This allowed them to identify a thread about an upcoming transaction between the victim’s company and another. The discussion was copied by several people, including company executives and attorneys from the law firm representing the organization, as well as executives from the third-party firm believed to be sending the fund and its attorneys.

The attackers searched for files related to the transaction, including contracts and other financial documents. They then registered fake domain names for the victim’s company and his law firm and drafted an email in the name of one of the lawyers, informing the third party company that the victim’s company had update its transfer instructions and account due to an ongoing audit freeze. their regular account.

The reason the fake domains, which were similar to the real ones, were needed was to give the impression of keeping all previous parties in the thread, but using fake email addresses instead so that they don’t actually receive the new email. Only representatives of the third-party company supposed to initiate the transaction have seen the malicious email.

Fortunately, one of the recipients mistrusted the email, so the transaction did not go through, but there are many cases where employees act on carefully crafted emails and forward l money in accounts controlled by attackers. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks resulted in more than $43 billion in losses between June 2016 and December 2021.

“Given the accelerated growth of AitM attacks (even without the persistence allowed by an attacker adding a new compromised authentication method), it is clear that we can no longer rely on multi-factor authentication as our primary line of defense against attacks. identity attacks,” the researchers said. “We strongly recommend implementing another layer of defense in the form of a third factor tied to a physical device or the employee’s authorized laptop and phone. Microsoft 365 offers this as part of the conditional access by adding an authentication requirement via registrant and compliant device only, which would completely prevent AitM attacks.”

Mitiga has also released a security advisory on the BEC campaign.

Copyright © 2022 IDG Communications, Inc.