Security News > 2020 > March > 99% of compromised Microsoft enterprise accounts lack MFA
Cybercriminals compromise 0.5% of all Microsoft enterprise accounts every month because too few customers are using multi-factor authentication, the company has revealed.
In a presentation uploaded to YouTube from the recent RSA Security Conference, director of Identity Security Alex Weinert said 1.2 million accounts were compromised in January 2020 alone.
Of those compromised accounts, 99.9% were not using MFA. Accounts lacking MFA had two characteristics: the use of legacy protocols and a tendency by users to reuse passwords.
During January, about 40% of the compromised accounts had fallen foul to some pretty simple password spraying where attackers try to login to large numbers of accounts using a small collection of statistically likely passwords.
Although only 0.5% of accounts were compromised each month, the probability of this happening rose to 7.2% for SMTP, and 4.3 for IMAP. The second problem was password re-use, which allowed attackers to reuse credentials stolen from one site on multiple sites in the hope of finding a match, the so-called replay attack.