![]() ![]() ![]() These unauthorized logins were not consistent with historical logins on the user’s account, as the user normally logged in from Pennsylvania-geolocated IP addresses. The highlighted data indicates there were two logins in a short timespan one geolocating to Indonesia and the other geolocating to the Netherlands. The following Microsoft unified audit log excerpt correlates to a user who had MFA enabled and enforced (Figure 1). Kroll has identified this tactic leveraged within client M365 tenants. Once a threat actor obtains credentials through phishing campaigns, from the dark web or other credential breaches and thefts, legacy authentication can be utilized to sign into an M365 email account, even if the user has MFA enabled and enforced.Īs long as legacy authentication is enabled, the possibility that threat actors can log into an M365 account without satisfying MFA requirements may exist, allowing the threat actor full access to read, write and download a full copy of the impacted user’s mailbox to their local (threat actor controlled) system. Legacy authentication can be used for mail protocols where MFA was historically not supported such as IMAP4, POP3 or SMTP, or for older Outlook and mobile clients that do not support MFA. One tactic threat actors consistently use to bypass MFA is the use of legacy authentication. This article examines three tactics that Kroll has observed threat actors leveraging to bypass MFA controls in M365, and examples of how their attacks play out in real life: authentication via legacy protocols, wireless guest network abuse and third-party MFA application providers for Azure. MFA is a fundamental security control frequently recommended by experts for its efficacy in preventing less sophisticated attacks, but like all controls, it’s not infallible. ![]() Microsoft certainly understands that and has enabled extensive security mechanisms for M365, including multifactor authentication (MFA), which requires users to present more than one form of authentication before login. Microsoft 365 (M365) has quickly become one of the most utilized email platforms and, thanks to a variety of productivity and communication applications deeply embedded in enterprise processes, it’s also a popular target for cyber criminals. ![]()
0 Comments
Leave a Reply. |