Security News > 2020 > December > How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication
Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo.
The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question.
Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named duo-sid.
Volexity's investigation into this incident determined the attacker had accessed the Duo integration secret key from the OWA server.
MFA threat modeling generally doesn't include a complete system compromise of an OWA server.