Security News
Microsoft will soon fast-track multi-factor authentication adoption for its Microsoft 365 cloud productivity platform by adding MFA capabilities to the Outlook email client. The company says in a new Microsoft 365 roadmap entry that users will be able to complete MFA requests for Microsoft 365 apps directly in the Outlook app via a new feature dubbed Authenticator Lite.
Are you as protected as you should be? Maybe it's time for you to re-evaluate your MFA. As a follow-up, explore this eBook to learn more about Silverfort's Unified Identity Protection approach to MFA and gain insight into how to assess your existing protections and relative risk exposure. In the same manner, if attackers can move laterally in your environment by providing compromised credentials to command line access tools, it no longer matters that you have MFA protection for RDP and desktop login.
Passwords are a mess, MFA can be more of a stopgap than a solution to phishing and running your own public key infrastructure for certificates is a lot of work. Ironically, if you're a security-aware organization in a regulated industry that already did the hard work of adopting the previous gold standard - smartcards that hold a security certificate and validate it against a certificate authority on your infrastructure - you might find yourself stuck running ADFS as you try to move to the new FIDO keys.
A common threat targeting businesses is MFA fatigue attacks-a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. Using MFA Fatigue attacks, cybercriminals bombard their victims with repeated 2FA push notifications to trick them into authenticating their login attempts to increase their chances of gaining access to sensitive information.
MFA protects a system, location, or sensitive data from being accessed by an unauthorized user. MFA systems also consider a one-time password/code received by the user via SMS or authenticator app as a possession factor.
Into the future with enterprise passwordless solutions. The survey isolated perceptions and adoption of newer FIDO2-certified enterprise passwordless solutions, and segregated the impact of single sign-on portal and endpoint biometric-based "Passwordless-like" experiences.
An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account's owner's mobile device. A demonstration of an MFA Fatigue attack, or MFA spam, can be seen in this YouTube video created by cybersecurity support company Reformed IT. In many cases, the threat actors will push out repeated MFA notifications and then contact the target through email, messaging platforms, or over the phone, pretending to be IT support to convince the user to accept the MFA prompt.
Resecurity has recently identified a new Phishing-as-a-Service called EvilProxy advertised in the Dark Web. While the incident with Twilio is solely related to the supply chain, cybersecurity risks obviously lead to attacks against downstream targets, the productized underground service like EvilProxy enables threat actors to attack users with enabled MFA on the largest scale without the need to hack upstream services.
The threat actor behind the Twilio hack used their access to steal one-time passwords delivered over SMS from customers of Okta identity and access management company. Okta provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio.
The threat actor behind the Twilio hack used their access to steal one-time passwords delivered over SMS from customers of Okta identity and access management company. Okta provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio.