Security researchers have discovered critical vulnerabilities allowing attackers to bypass multi-factor authentication (MFA) for Microsoft 365. According to security researchers at Proofpoint, vulnerabilities in MFA implementation compromise user safety and privacy while interacting with cloud-based services. Attackers can potentially gain complete access to their victim’s account data including emails, files, and contacts.
“Most likely, these vulnerabilities have existed for years. We have tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues,” Proofpoint said in its blog post.
What caused this security trouble?
Researchers believe the way Microsoft 365 session login is designed was responsible for this major security crisis. Bugs in the implementation of the existing security mechanisms allowed attackers to exploit “inherently insecure protocol” (WS-Trust). For instance, attackers were able to spoof their target’s IP address to bypass MFA, courtesy of a simple request header manipulation.
Alterations to the user-agent header caused the IDP to identify the wrong protocol in the pretext of using Modern Authentication. Attackers can exploit the vulnerabilities to pivot from legacy protocol to the modern one. As a result, Microsoft logs the connection as “Modern Authentication” further fooling around with administrators and security engineers.
With attackers being able to bypass MFA, security folks at Microsoft 365 need to come up with an extra layer of security in the form of account compromise detection and remediation. Once vulnerabilities are discovered, attackers can exploit them in an automated fashion. What makes these vulnerabilities extremely difficult to detect is that they don’t appear on event logs.
As security risks and threats continue to cause trouble, the adoption of multi-factor authentication has significantly increased in the wake of the pandemic.
Applications of multi-factor authentication
The MFA can safeguard Microsoft 365 users against a number of security issues, as follows:
- Real-time phishing
- Channel hijacking
- Legacy protocols
According to researchers, 97 percent of organizations were impacted by brute force attacks in the first half of 2020. 30 percent of those organizations had at least one compromised cloud account. Researchers discovered that 73 percent of all monitored tenants were targeted and 57 were compromised.