Researchers at ‘Proofpoint’ are warning about critical multi-factor authentication bypassing vulnerabilities plaguing the ‘Microsoft 365’ platform, and they put the blame on “WS-Trust”, which Microsoft themselves have characterized as an inherently insecure protocol. In cloud environments where the WS-Trust is enabled, hackers could potentially bypass MFA and access applications on the platform. Accessing someone’s Microsoft 365 account means accessing emails, files, contacts, data, and anything else connected with it like Azure or Visual Studio accounts.
The COVID-19-induced “work from home” situation has raised the popularity of cloud-based applications and collaboration platforms, and ‘Microsoft 365’ is among them. Crooks are looking to take advantage of this shift, targeting these users aggressively. Engaging in credential stuffing attacks is a standard way to do this, but multi-factor authentication steps always stand in the way. This layer of security though, isn’t tightly sealed as Proofpoint explains, so here are some ways through which hackers manage to find their way in.
Real-time phishing – The attacker sets up a “proxy” between the target website and the victim, and tricks the target into entering their credentials as well as the MFA code on the phishing page. Because this is a time-sensitive attack, the actors are typically deploying automated tools like Modlishka. In other cases, the attackers do the job manually and take over the account right then and there.
Channel hijacking – This method steals the MFA code from the target’s device, so some kind of a malware strain must have been planted there first. Of course, an alternative for this would be SIM-swapping attacks, and in other cases, cell tower signal interception.
Legacy protocols – This method is maybe the cheapest, most straight-forward, and commonly found out there. There is still a large number of organizations that support email protocols like POP and IMAP, which cannot enforce MFA. Hackers simply scan for vulnerable deployments and then use credential dumps and automated crawlers to get a hold onto whatever accounts they can steal.
Microsoft has deprecated WS-Trust since February this year, admitting that there’s no way to ensure the security of those using the protocol. That said, system admins are advised to use a better security protocol, enforce granular access controls, apply people-centric policies, and automatically block access and requests from locations that are known to be malicious or risky. Monitoring network activity by using an AI-based threat intelligence tool that can identify suspicious patterns would also be a great way to stop hackers soon enough.