Security News > 2022 > August > Crooks target top execs on Office 365 with MFA-bypass scheme

Crooks target top execs on Office 365 with MFA-bypass scheme
2022-08-25 18:01

A business email compromise scheme targeting CEOs and CFOs using Microsoft Office 365 combines phishing with a man-in-the-middle attack to bypass multi-factor authentication.

These attacks take advantage of a Microsoft 365 design flaw that allows miscreants to compromise accounts with MFA enabled and achieve persistence in victims' systems by adding a new, compromised, authentication method allowing them to come back at any time.

"The victim is prompted with a genuine MFA request on their MFA device," according to the analysis.

"After approving the request, the Microsoft server returns a valid session cookie, which the adversary sniffs and can then use to assume the victim's session, without needing to re-enter a password or approve an MFA request."

As noted earlier, the criminals use a design flaw in 365 MFA to maintain persistence, which allows them to add a new authenticator app connected to the compromised user's profile without the victim's knowledge.

The issue exists because once a session has been authorized via MFA, Microsoft does not require a new MFA challenge for the duration of the MFA token.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/25/microsoft_365_bec/