Security News > 2022 > February > Microsoft: Enterprise MFA adoption still low

The recent growth in popularity of phishing kits that bypass MFA protection show that attackers have taken note of it and are adapting.

Microsoft's inaugural Cyber Signals report shows, on the other hand, that only 22 percent of customers using Microsoft Azure Active Directory have implemented MFA protection.

There's a dangerous mismatch between the magnitude of identity-focused attacks and organizations' preparedness for them, the company says: just between January and December 2021, Microsoft Azure AD detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen passwords.

Attackers love compromised credentials and no MFA. "Spear-phishing, social engineering attacks, and large-scale password sprays are basic nation-state actor tactics used to steal or guess passwords," Microsoft says, and notes that these groups will keep using the same simple tactics if user credentials are poorly managed or MFA and passwordless authentication isn't employed.

"Finding weaknesses in identity is a common attack tactic shared by many threat actors, cybercriminals, and nation-state actors," says Christopher Glyer, Principal Threat Intelligence Lead at the Microsoft Threat Intelligence Center.

Microsoft has been recommending MFA use to its customers and the general public for years, pointing out that even though there are ways to bypass MFA protections, any form of MFA - if implemented correctly - takes users out of reach of most attacks.

News URL

https://www.helpnetsecurity.com/2022/02/07/enterprise-mfa-adoption/