Fresh Takes

Microsoft’s Warning About How Hackers Are Bypassing MFA – What You Need to Know

December 6, 2022

Bypassing MFA

With many companies shifting to multi-factor authentication (MFA) for verifying users, hackers have had to change their approach. Microsoft recently issued a warning that threat actors are gaining ground by adapting their techniques to bypass MFA protections. Luckily, the company has advice on how businesses can mitigate these attacks making things more difficult for remote workers.

The Rise of MFA

Five years ago, most companies still relied on password access to resources. That became a problem as hackers used various ways to access those credentials. Social engineering was particularly effective, especially if a bad actor managed to imitate a higher-up in the company to manipulate an unsuspecting employee into giving up valuable information.

Today, many users access work resources from a personal device like a cell phone or home PC. These unmanaged devices are a prime target for token theft, a method increasingly used by hackers. Because they typically have weaker security protections, cyber thieves can get what they need from untracked personal devices without being detected by corporate IT security.

Microsoft raised the alarm about token theft being used to bypass MFA because of how relatively easy it can be to do. You don’t need to be a master coder or purchase expensive hacking tools to initiate a bypass MFA attack. The methods are difficult to detect because most businesses aren’t actively looking out for the threat.

Top Bypass MFA Attack Methods

Adversary-in-the-middle (AiTM) frameworks and pass-the-cookie attacks are the leading methods employed by threat actors to get past MFA protections.

AiTM Frameworks

Similar to tools used to steal passwords in the past, hackers use AiTM frameworks to intercept tokens. A top example is Evilginx2, which inserts a false framework between an employee and a work application they’re trying to access. If successful, the bad actor can seize both a user’s credentials and the generated MFA token.

It’s bad enough if a hacker phishes a regular user. They can wreak a lot more havoc if they get hold of a token with Global Administration privilege. They can try and completely hijack an Azure AD tenant, resulting in loss of control and a compromised tenant.

Pass-the-Cookie Attacks

A pass-the-cookie attack compromises browser cookies to gain access to corporate resources. Cookies get created and stored for a session after getting authenticated by Azure AD in a browser. If a hacker can break into a personal device, they can steal that cookie and pass it to a different browser or system, easily bypassing company security checks.

More employees are working from home than ever, connected to company workspaces by a personal device. The lack of security protections on those devices makes them an ever-growing threat to an organization’s security posture. Many people use the same device to log in for work and to browse their social media profiles. If they’re signed into both at the same time, a cyber attacker could easily compromise tokens generated for both.

There’s a lot of malware available that malicious actors can use to hack browser cookies. A bad actor doesn’t need to know anything about a user’s email address or password. They only need the information held within the cookie.

Dealing With MFA Bypass Attacks

Below is an overview of what Microsoft believes organizations should do to protect themselves against the rise in MFA bypass attacks.

Increased Visibility

Microsoft recommends that organizations make inroads into gaining more visibility into how users authenticate themselves. Companies should know which devices are being used by employees to log into various resources. Incorporating compliance tools along with other device-based conditional policies makes it easier to track and update them through security patches, antivirus software, and endpoint detection and response (EDR) solutions.

Adherence to Security Baselines

Microsoft also recommends following its security baselines to lower the risk of an end-user’s device being compromised by an MFA bypass attack. Using conditional access policies and other controls can also lower instances of token theft.

  • Making session lifetime shorter forces users to authenticate themselves more frequently
  • Cutting down on how long a token remains viable forces hackers to make more token theft attempts, increasing their chance of getting caught
  • Using Microsoft Defender for Cloud apps to implement Conditional Access App Control offers protection against workers using unmanaged devices

Blocking of Initial Access

Companies should use phishing-resistant MFA solutions for added protection. The loss of convenience for users is worth boosting the security around Global Admin privileges and high-risk business applications.

Segregation of Privileged Users

It’s also a good idea to move users with advanced tenant privileges into a separate cloud-only identity. That’s the only space where they should be free to perform any administrative activities. Doing so reduces the attack services in case any on-premises services get compromised.

Because it may not be practical for organizational decision-makers to enforce strict controls over all devices and applications, the focus should be placed on protecting:

  • Users like Global Admins, Billing Admins, and Authentication Admins
  • Finance applications a hacker could use for financial gain
  • Applications containing a lot of personally identifiable information (PII)
  • Access to productivity cloud apps and Office 365 services like Teams and SharePoint

Detecting and Responding to Bypass MFA Attacks

Companies can flag suspicious token events using protections like Microsoft Defender for Cloud Apps and Azure Active Directory Identity Protection. Organizations should focus on tracking high-severity alerts and users who constantly trigger warnings.

After a token gets stolen, businesses can revoke refresh tokens and force users to reauthenticate themselves. Resetting user passwords is a critical part of the revocation process. Keep in mind that the compromised token doesn’t get invalidated immediately. They can remain functional for up to an hour, giving hackers enough time to do what they want with a user’s account.

Organizations should reinforce their security protections by setting alerts to review high-risk tenant modifications, including the creation of or changes to:

  • Security configurations
  • Exchange transport rules
  • Privileged users or roles

Protect Your Company Against Advanced Security Threats

Axiad Cloud portfolio helps organizations protect their users, machines, and interactions with a set of powerful products driven from a SaaS platform. Learn more about how we can help by scheduling a demo of our solution.

About the author
Axiad Team
Axiad Demo

See How Axiad Works

See a comprehensive demo of Axiad Cloud and envision how it will revolutionize authentication for you!