Security News
Up to 78 percent of Microsoft 365 administrators do not have multi-factor authentication security measures enabled. A recent report by CoreView Research also found that 97 percent of all total Microsoft 365 users do not use MFA, shedding a grim light on the security issues inherent with the implementation of Microsoft's subscription service.
On average, 50% of users at enterprises running Microsoft 365 are not managed by default security policies within the platform, according to CoreView. Microsoft 365 administrators fail to implement basic security like MFA. The survey research shows that approximately 78% of Microsoft 365 administrators do not have multi-factor authentication activated.
Bugs in the multi-factor authentication system used by Microsoft's cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system, according to researchers at Proofpoint. The flaws exist in the implementation of what is called the WS-Trust specification in cloud environments where WS-Trust is enabled and used with Microsoft 365, formerly called Office 365.
ManageEngine announced that ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, now supports multi-factor authentication for VPNs to protect organizations' internal networks from unauthorized access. "VPN gateways are directly accessible through the internet and are prone to brute force and other types of attacks. Relying on credentials alone to protect VPN access to vital resources could result in immeasurable losses," said Parthiban Paramasivam, director of product management, ADSelfService Plus.
While brute-forcing and password spraying techniques are the most common way to mount account takeovers, more methodical cybercriminals are able to gain access to accounts even with more secure MFA protocols in place. According to Abnormal Security, cybercriminals are zeroing in on email clients that don't support modern authentication, such as mobile email clients; and legacy email protocols, including IMAP, SMTP, MAPI and POP. Thus, even if MFA is enabled on the corporate email account, an employee checking email via mobile won't be subject to that protection.
These tools can help people complete their jobs but are fraught with security challenges. Frost & Sullivan examined how threats and attacks exist around employees' external systems and devices, and found that multi-factor authentication can be easily leveraged by IT departments.
People who don't take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Dennis soon learned the unauthorized Gmail address added to his son's hacked Xbox account also had enabled MFA. Meaning, his son would be unable to reset the account's password without approval from the person in control of the Gmail account.
Over half of security leaders still rely on spreadsheetsSenior security leaders within financial services companies are being challenged with a lack of trusted data to make effective security decisions and reduce their risk from cyber incidents, according to Panaseer. Security threats associated with shadow ITAs cyber threats and remote working challenges linked to COVID-19 continue to rise, IT teams are increasingly pressured to keep organizations' security posture intact.
Phishers are trying to bypass the multi-factor authentication protection on users' Office 365 accounts by tricking them into granting permissions to a rogue application. How? The aforementioned authorization code is exchanged for an access token that is presented by the rogue application to Microsoft Graph, which will authorize its access.
A new phishing campaign can bypass multi-factor authentication on Office 365 to access victims' data stored on the cloud and use it to extort a Bitcoin ransom or even find new victims to target, security researchers have found. The attack is different than a typical credential harvester in that it attempts to trick users into granting permissions to the application, which can bypass MFA, he said.