Attacks like password spraying, brute force, and phishing have targeted Office 365 cloud users for years. Most incidents share a common thread: access to the right combinations of usernames and passwords along with legacy authentication mechanisms like basic authentication.
Attacks targeting email accounts protected only by single factor authentication, such as a password — even a "strong" password — see a higher probability of success. Against these odds, MFA has become a necessary line of defense. Using strong factors discourages attacks by introducing an extra layer of authentication to complete the sign-in process.
To combat these attacks, enterprises and users have layered security through the enforcement of multifactor authentication (MFA) for Office 365. (Disclaimer: Okta is a provider of MFA technology, along with many other security vendors.) While MFA is widely recognized as a trusted security measure and deployed by organizations to protect against cyber threats, the ubiquitous nature of Office 365 poses a unique challenge for MFA-based security: MFA can be bypassed, and it can occur without extraordinary levels of sophistication. To mitigate the risk of bypass, organizations need to understand the MFA bypass techniques for Office 365 and take steps to ensure these two technologies can coexist to keep future attacks at bay.
Bypassing MFA Through Office 365
While MFA can provide efficient protection, and many organizations have invested in MFA technology, not everyone has implemented the control effectively to protect access to Office 365.
While Microsoft Exchange does provide a mechanism for enforcing MFA using modern authentication — an umbrella term for a combination of authentication and authorization methods — it is not supported on every sign-in method supported by Office 365. In fact, only OWA and email clients built with Azure Active Directory Authentication Libraries (ADAL) support use the modern authentication flow, while legacy clients use only basic authentication, which relies only on a username and password, without requiring an MFA factor.
Possible scenarios that could potentially break or limit MFA enforcement on Office 365 include:
- Legacy protocols like POP and IMAP which can only support basic authentication.
- Access protocols that support modern authentication, like Exchange ActiveSync, Exchange Web Service (EWS), MAPI and PowerShell, that can be defaulted to use basic authentication.
- Not all email clients are built with ADAL/modern authentication support, limiting access for some users from legacy email clients.
In addition to those vulnerabilities, last year, Okta researchers last year discovered that Microsoft's Active Directory Federation Services can allow potentially malicious actors to bypass MFA safeguards, as long as they can successfully MFA-authenticate to another user's account on the same ADFS service and have the correct password for other users. After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. However, for anyone who has not patched, the vulnerability persists.
Implications of Office 365 MFA bypass
The potential impact of an Office 365 MFA bypass is massive: Once attackers compromise Office 365 credentials, they can exfiltrate sensitive data. In cases where admin credentials are compromised, malefactors can gain the ability to scan email content across entire businesses, or create email forwarding rules to execute a phishing campaign targeting the employee's peers, while remaining undetected. These attacks can incur significant economic, brand, and compliance losses: some estimates suggest it could cost up to $2 million for an organization to conduct a large scale email compromise investigation including legal, forensics, data mining, manual review, notification, call center, and credit monitoring costs.
An example from last year: a group of nine Iranian nationals connected to the Mabna Institute illegally gained access to sensitive data from universities, at least 36 US businesses, private companies and government organizations through Office 365 — acquiring research the US had banned access to in Iran.
What can you do?
At the core of enforcing MFA on Office 365, you need to disable the use of basic authentication. Exchange Online added support for disabling basic authentication by creating "authentication policies" on Office 365 and applying these policies to users, so security teams need to ensure these are in place. However, defining and maintaining Exchange policies can be problematic with its reliance on PowerShell, meaning there is no corresponding graphic user interface for easy configurability.
The issue becomes easier to navigate when using client access policies from identity providers, which can be an effective approach to ensure that only MFA-enforced access is allowed through. These policies govern access to Office 365 based on attributes like client types, network location, user group membership and password-only versus password and MFA. However, applying these client access policies comes with trade-offs: native email clients on macOS and Android as well as older Windows Outlook app versions (older than 2013) that are not built with ADAL support cannot use modern authentication, and hence, will be prevented from accessing Office 365.
With attackers increasingly targeting corporate email, we need to give this issue the attention it deserves. Office 365 is the tip of the spear, as it is widely used and often attacked. MFA can be a robust control in preventing email-based breaches, but that only matters if it's implemented effectively. It is critical that IT admins and security teams ensure full MFA enforcement by investing in configuring, patching, and testing their Office 365 implementations for security flaws.