Researchers from Proofpoint has detected that the MFA bypass bugs that allows the hackers to access office 365 accounts. These are the vulnerabilities that could enable the threat actors to bypass the MFA and access cloud applications that use the protocol, particularly the Microsoft 365.
The experts asserted that the way Microsoft 365 login is designed, any threat actor can totally get access to the targeted person’s account.
Moreover, these vulnerabilities can also be utilized to access other cloud services that are generally implemented by Microsoft, and it includes production and development environments like Azure and Visual Studio.
MFA – A Growing Target
Nowadays, MFA(Multi-factor Authentication) is becoming a great target for the threat actors, as the Multi-factor authentication (MFA) is speedily converting into a must-have security layer for cloud applications.
And we all know that the whole world is dealing with the crisis due to the pandemic, and in this period, the demand for cloud-based applications such as messaging and collaboration programs swelled as companies that are split-shift to work from home.
So, relying more and more on MFA is generating a chance for all the threat actors to get a target. And increased reliance on MFA also indicates that the feature is more attractive for all the hackers to exploit as a way into corporate systems, creating mitigation of vulnerabilities that influence the MFA critical to the security.
How Attackers Bypass MFA
The attackers are bypassing the MFA by utilizing some common methods, as they are very easy to apply. That’s why here we have mentioned the methods that are used by the threat actors:-
Real-time phishing: The threat actors are using real-time phishing as it involves stealing the user’s extra factor. There are some cases in which the threat actors may generate a “proxy” among the target website and the victim. As it becomes quite easy for the threat actors to bypass the MFA as the proxy looks similar to the original website.
Channel hijacking: Channel hijacking strikes the victim’s phone or computer, regularly with malware. That’s why the PC malware can use man-in-the-browser or web injects to get knowledge, and some malware hijacks the MFA from the phone.
Legacy protocols: The hacker uses the legacy protocol because it is a relatively cheaper and more scalable process for bypassing MFA leverages legacy protocols for attacks on cloud accounts. Many companies continue to enable legacy protocols to be capable of supporting legacy devices or applications like copy machines or shared accounts such as conference rooms.
The Proofpoint has suggested some mitigations that are to be followed by the organizations so that they can keep themselves safe from this kind of attacks, and here they are mentioned below:-
- At first, automatically block access from dangerous locations and networks and by well-known threat actors.
- Employ people-centric strategies to high-risk and high-privilege users.
- Strengthen more granular controls such as MFA, access via browser isolation, log in via VPN, etc.
Apart from this, the security researchers at Proofpoint are still investigating the whole matter; till then, they have strongly recommended all the users to follow every guideline properly they have endorsed.