MFA BYPASS TECHNIQUES –
A Threat Analysis from Microsoft

The evolving implementations of technological aspects have helped a lot of businesses to reach new milestones. However, it is also responsible for the rising cyber threats and vulnerabilities in digital firms. To avoid this, organizations started implementing cybersecurity measures such as multi-factor authentication, network security solutions, etc. But will it stop cyber criminals from breaching our data and systems? Recently, Microsoft released a threat alert related to MFA bypass that would result in various forms of vulnerabilities and attacks.

This blog will give you valuable insights into the types of techniques that attackers use during MFA bypass.

MFA Bypass- A Threat Alert By Microsoft 365 Defender

The installation of multi-factor authentication has become a necessity to safeguard identity security. To create loopholes and bypass the security measures, the cyber attackers developed new methods. These techniques involve password spray attacks, identity compromise attacks, etc., that are considered the initial step to breaching into the network and systems.

Through an appropriate analysis, Microsoft Defender 365 detected some suspicious logins utilizing legacy protocols to bypass MFA. Due to these upcoming threats, many organizations extended the shield of protection by implementing conditional access policies that require MFA through which there is a strong evaluation for the sign-in requests with the aid of additional identity-driven signals such as IP address location information, user or group membership, device status, etc.

Based on the reports of Microsoft, it is estimated that the attackers focus on target administrative accounts, service accounts, and other highly authoritative accounts. In addition to these, the attackers also target the end user enabling them to deceive and phish and entire company. Here are some of the valuable insights into the common cyber bypass attacks that were detected by Microsoft 365. 

MFA Bypass Techniques Observed by Microsoft 365

MFA Fatigue Attack

Being termed as MFA bombing, this MFA cyber fatigue attack is the process where the attackers manipulate users to trick them into disclosing the MFA credentials. Using various psychological techniques, the attackers exploit the user’s emotions and thoughts and elicit them in the MFA process. These techniques were examined by Microsoft after the attackers became successful in spraying password attacks.

The cyber attackers implement these tactics by flooding continuous MFA requests through phones, emails, and authentication apps. As per the observation, it is stated that the attackers often keep a time gap between the initial attack and the following MFA fatigue attack. This approach eliminates the suspicion of the attack and makes it difficult to detect it. These notifications will eventually force the users to approve the attacker’s requests and cooperate with them.

In order to stay away from the MFA fatigue attack, users should be aware and trained about the various cyber attack approaches. To prevent your systems and data from phishing attacks, Microsoft suggests withdrawing the weak MFA process and utilizing anti-phishing settings such as number-matching techniques. 

MFA Tampering with Privileged Accounts

To acquire long-term control of the IT firms, attackers attain high-level access such as global administrator that would aid in turning off the multi-factor authentication. Taking advantage of the compromised accounts, the attackers disable the MFA of the other users of the system.

After immobilizing the MFA of the other users, the cyber attackers breach the accounts through password-spraying tactics. During the research, Microsoft researchers noticed this pattern of phishing attacks and stated that suspicious MFA modifications following unusual sign-in are to be stated as MFA tampering.

Executing conditional access for administrator accounts will be an effective practice to prevent these tampering attacks. It is suggested that Microsoft 365 Defender alert MFA be set up so that the users get notified about a risky sign-in. The organization should give appropriate training to the users about how to manage these attacks.

Abuse of legacy protocols

In addition to these, exploiting and taking advantage of legacy authentication protocols like POP3, IMAP, or SMTP is also an effective method for attackers to bypass multi-factor authentication. Legacy authentication without MFA could be an open way for attackers to enable compromised credentials. But Microsoft 365 Defender can easily detect this unauthorized sign-in by searching for ‘unknown’ in legacy protocol usage in agent logs.

In certain cases, the cyber attackers only focus on single-factor authentication apps such as Azure CLI or Azure Powershell. Even though MFA could be a shield to some resources, it could still be a warning and grant access to specific resources. To prevent these tactics, you could block the legacy authentication through a conditional access policy.

Modification of Secondary Authentication Methods

Through various studies, it has been proven that attackers take advantage of the loophole in the MFA via voice communication and SMS. It is also observed that cyber attackers utilize social engineering methods to manipulate telephone networks and help desks to exploit and control secondary authentication devices that are connected with other privileged accounts.

Following the infiltration of a network, the criminals focus on high-authoritative accounts with the help of identified phone numbers. This would lead to changing authentication methods through SIM swapping methods and contacting help desks. It could be prevented by embracing the MFA security by implementing other security alternatives and disabling SMS and voice authentication. This is because SMS and voice authentications are considered weak methods that would result in social engineering attacks.

The organizations could prevent these phishing attacks by offering effective training to the end users about security. They should be aware of the arousing cyber attacks and security measures to avoid them.

Wrapping Up (Secure your Services From MFA Bypass Threats)

Even though it might be a bit challenging, every IT organization must secure their systems and data from MFA bypass. As technology advances, it also becomes a bridge for attackers to evolve and discover new strategies and vulnerabilities to exploit the systems. So, to reduce the risk of being a victim and exploited, it is necessary to bolster the multi-factor authentication measures.

As mentioned above, it becomes a bit difficult for organizations to find the best measures that could monitor and detect high-risk areas. If you are one among them, Azure Advisor and M365 Advisor services could be a solution for you to leverage the shield of your business. So, let’s join hands to stay away from cybersecurity attacks and reach new heights with secured boundaries.