Security researchers have discovered critical vulnerabilities that allow attackers to bypass multi-factor authentication (MFA) for Microsoft 365. According to security researchers at Proofpoint, vulnerabilities in MFA deployment compromise users’ security and privacy while interacting with cloud-based services. Attackers may be able to gain full access to their victim’s account information, including emails, files, and contacts.
“Most likely, these vulnerabilities have been around for years. We tested several Identity Provider (IDP) solutions, identified the solutions that were susceptible and resolved the security issues,” Proofpoint said in its blog post.
What caused this security issue?
Researchers believe that the way Microsoft 365 sessions were designed was responsible for this major security crisis. Bugs in the implementation of existing security mechanisms allowed attackers to exploit “inherently unsafe protocol” (WS-Trust). For example, attackers were able to falsify their target’s IP address to bypass MFA, thanks to a simple manipulation of the request header.
Changes to the user-agent header caused the IDP to identify the wrong protocol under the pretext of using modern authentication. Attackers can exploit the vulnerabilities to rotate from the old protocol to the modern protocol. As a result, Microsoft logs the connection as “Modern Authentication”, further knocking with administrators and security engineers.
Because attackers can bypass MFA, microsoft 365 security staff must devise an additional layer of security in the form of account compromise detection and recovery. Once vulnerabilities are discovered, attackers can automatically exploit them. What makes these vulnerabilities extremely difficult to detect is that they don’t appear in event logs.
As security risks and threats continue to cause problems, the introduction of multiple authentication has increased significantly after the pandemic.
Multi-factor authentication applications
The MFA can protect Microsoft 365 users from a number of security vulnerabilities as follows:
- Real-time phishing
- Channel hijacking
- Legacy protocols
According to researchers, 97 percent of organizations were hit by brute force attacks in the first half of 2020. 30 percent of those organizations had at least one compromised cloud account. Researchers found that 73 percent of all supervised tenants were targeted and 57 were compromised.