Attackers Horn in on MFA Bypass Options for Account Takeovers

Attackers Horn in on MFA Bypass Options for Account Takeovers

Legacy applications don't support modern authentication — and cybercriminals know this.

An uptick in business email compromise attacks is being attributed to successful compromises of multi-factor authentication (MFA) and conditional access controls, according to researchers. While brute-forcing and password spraying techniques are the most common way to mount account takeovers, more methodical cybercriminals are able to gain access to accounts even with more secure MFA protocols in place.

According to Abnormal Security, cybercriminals are zeroing in on email clients that don’t support modern authentication, such as mobile email clients (for example, iOS Mail for iOS 10 and older); and legacy email protocols, including IMAP, SMTP, MAPI and POP. Thus, even if MFA is enabled on the corporate email account, an employee checking email via mobile won’t be subject to that protection.

“While MFA and modern authentication protocols are an important advancement in account security and should be used whenever possible…this means that it is not possible to enforce MFA when a user signs into their account using one of these applications,” said Erin Ludert, writing in a blog post on Friday.

Click to register!

Thus, she noted that a common pattern in account-takeover attacks is that after being blocked by MFA, an adversary will immediately switch to using a legacy application.

“In fact, most credential stuffing campaigns utilize legacy applications such as IMAP4 to ensure they do not encounter difficulties from MFA at any point,” Ludert said, adding, “Many enterprises are under the mistaken impression that they are fully protected by MFA and do not need to worry about account takeovers. This is a dangerous assumption.”

Meanwhile, many Office 365 licenses provide the ability to configure conditional-access policies, which block access by users to certain applications. This can be used to block legacy applications that may be targeted for password-spraying campaigns, for instance. However, according to Abnormal Security, attackers are also focused on ferreting out targets that don’t have this implemented, or, bypassing it.

“First and foremost, conditional access is not included with all licenses, meaning that many enterprises simply have no way to protect themselves from this type of attack,” Ludert said. “Additionally, legacy applications are still in widespread use in most enterprises. Completely blocking all users from legitimate access using these applications will be quite disruptive to the workforce. Also, legacy access is enabled by default on Office 365. In order to effectively block legacy access, it must be disabled on a per-tenant basis – for all users and platforms.”

Additionally, attempting to apply legacy blocking based on the platform (Windows, mobile, etc.) relies on the user agent to do so. The user agent is basically the software agent that is acting on behalf of a user, such as a web browser or email reader – and as such, it’s very easy to falsify, the researcher noted. Thus, even with conditional access in place, cybercriminals are mounting attacks by obscuring the app that they are using.

“In one case, the attacker initially attempted to sign in using a legacy application but was blocked by conditional access,” Ludert said. “The attacker then waited several days before trying again, this time with the app information obscured, and successfully gained access to the account.”

As MFA becomes more widespread, cybercrooks are looking to stay a step ahead. In May, researchers observed a phishing campaign that bypassed MFA on Office 365 to access victims’ data stored on the cloud and use it to extort a Bitcoin ransom; attackers used a malicious SharePoint link to trick users into granting permissions to a rogue application..

The tactic leveraged the OAuth2 framework and OpenID Connect (OIDC) protocol, which are the technical bits behind functions like “Log in with Faceboook” – being signed into a trusted application is used to verify a user on a second application, essentially. When OIDC and OAuth are used to authenticate a user, no credentials are exposed to the application, so MFA isn’t triggered.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how _**_Confidential Computing_ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us _[Wednesday Aug. 12 at 2pm ET](https://attendee.gotowebinar.com/register/3844090971254297614?source=art)_for this__ FREE _live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. _[_Register Now**](https://attendee.gotowebinar.com/register/3844090971254297614?source=art).

breach cloud security hacks mobile security privacy vulnerabilities web security abnormal security account takeover business email compromise conditional access legacy applications mfa bypass multifactor authentication office 365

What is Geek Coin

What is GeekCash, Geek Token

Best Visual Studio Code Themes of 2021

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

How To Set Up Two-Factor Authentication in cPanel

What is 2FA Two-Factor Authentication (or 2FA as it often referred to) is an extra layer of security that is used to provide users an additional level of protection when securing access to an account.

MFA Bypass Bugs Opened Microsoft 365 to Attack

Vulnerabilities ‘that have existed for years’ in WS-Trust could be exploited to attack other services such as Azure and Visual Studio.

Wormable Apple iCloud Bug Allows Automatic Photo Theft

Ethical hackers so far have earned nearly $300K in payouts from the Apple bug-bounty program for discovering 55 bugs, 11 of them critical, during a three-month hack. The wormable iCloud bug is a cross-site scripting (XSS) issue, according to the writeup.

Activision Refutes Claims of 500K-Account Hack

The Call of Duty behemoth said that the reports of widespread hacks are false. After reports surfaced that 500,000 Activision accounts may have been hacked, impacting online Call of Duty (CoD) players, the gaming giant is disputing the claim.

Microsoft Office 365 Phishing Attack Uses Multiple CAPTCHAs

Researchers are warning of an ongoing Office 365 credential-phishing attack that's targeting the hospitality industry – and using visual CAPTCHAs to avoid detection and appear legitimate. ... The multiple CAPTCHAs serve as backups, in case the first one gets defeated by automated systems, said researchers.