Security News > 2020 > August > Attackers Horn in on MFA Bypass Options for Account Takeovers

While brute-forcing and password spraying techniques are the most common way to mount account takeovers, more methodical cybercriminals are able to gain access to accounts even with more secure MFA protocols in place.

According to Abnormal Security, cybercriminals are zeroing in on email clients that don't support modern authentication, such as mobile email clients; and legacy email protocols, including IMAP, SMTP, MAPI and POP. Thus, even if MFA is enabled on the corporate email account, an employee checking email via mobile won't be subject to that protection.

"While MFA and modern authentication protocols are an important advancement in account security and should be used whenever possiblethis means that it is not possible to enforce MFA when a user signs into their account using one of these applications," said Erin Ludert, writing in a blog post on Friday.

"In fact, most credential stuffing campaigns utilize legacy applications such as IMAP4 to ensure they do not encounter difficulties from MFA at any point," Ludert said, adding, "Many enterprises are under the mistaken impression that they are fully protected by MFA and do not need to worry about account takeovers. This is a dangerous assumption."

As MFA becomes more widespread, cybercrooks are looking to stay a step ahead. In May, researchers observed a phishing campaign that bypassed MFA on Office 365 to access victims' data stored on the cloud and use it to extort a Bitcoin ransom; attackers used a malicious SharePoint link to trick users into granting permissions to a rogue application.

News URL

https://threatpost.com/attackers-mfa-bypass-account-takeovers/158189/