Security News > 2022 > August > How attackers use and abuse Microsoft MFA

More recently, Mandiant and Mitiga researchers have documented different approaches that allow attackers touse Microsoft MFA to their advantage.

Attackers take over dormant Microsoft accounts and set up MFA. Douglas Bienstock, an IR manager at Mandiant, shared last week a new tactic by APT29 and other threat actors that involves taking advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms.

Mandiant recommends that organizations ensure all active accounts have at least one MFA device enrolled and work with their platform vendor to add additional verifications to the MFA enrollment process.

On Microsoft Azure AD, organizations can use Conditional Access to restrict the registration of MFA devices to only trusted locations or trusted devices, he added, and they can choose to require MFA to enroll MFA and issue Temporary Access Passes to employees when they first join or if they lose their MFA device.

In a phishing campaign recently spotted by Microsoft, BEC scammers targeted Office 365 users and successfully bypassed the MFA set up to protect the accounts by using proxy servers and phishing websites to steal users' password and session cookie.

The problem here was that Microsoft does not require an MFA re-challenge for accessing and changing user authentication methods, he added.

News URL

https://www.helpnetsecurity.com/2022/08/24/attackers-microsoft-mfa/