Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/27/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Office 365 Multifactor Authentication Done Right

Why the ubiquitous nature of Office 365 poses unique challenges for MFA-based security and how organizations can protect themselves.

Attacks like password spraying, brute force, and phishing have targeted Office 365 cloud users for years. Most incidents share a common thread: access to the right combinations of usernames and passwords along with legacy authentication mechanisms like basic authentication.

Attacks targeting email accounts protected only by single factor authentication, such as a password — even a "strong" password — see a higher probability of success. Against these odds, MFA has become a necessary line of defense. Using strong factors discourages attacks by introducing an extra layer of authentication to complete the sign-in process.

To combat these attacks, enterprises and users have layered security through the enforcement of multifactor authentication (MFA) for Office 365. (Disclaimer: Okta is a provider of MFA technology, along with many other security vendors.) While MFA is widely recognized as a trusted security measure and deployed by organizations to protect against cyber threats, the ubiquitous nature of Office 365 poses a unique challenge for MFA-based security: MFA can be bypassed, and it can occur without extraordinary levels of sophistication. To mitigate the risk of bypass, organizations need to understand the MFA bypass techniques for Office 365 and take steps to ensure these two technologies can coexist to keep future attacks at bay.

Bypassing MFA Through Office 365
While MFA can provide efficient protection, and many organizations have invested in MFA technology, not everyone has implemented the control effectively to protect access to Office 365.

While Microsoft Exchange does provide a mechanism for enforcing MFA using modern authentication — an umbrella term for a combination of authentication and authorization methods — it is not supported on every sign-in method supported by Office 365. In fact, only OWA and email clients built with Azure Active Directory Authentication Libraries (ADAL) support use the modern authentication flow, while legacy clients use only basic authentication, which relies only on a username and password, without requiring an MFA factor.

Possible scenarios that could potentially break or limit MFA enforcement on Office 365 include:

  • Legacy protocols like POP and IMAP which can only support basic authentication.
  • Access protocols that support modern authentication, like Exchange ActiveSync, Exchange Web Service (EWS), MAPI and PowerShell, that can be defaulted to use basic authentication.
  • Not all email clients are built with ADAL/modern authentication support, limiting access for some users from legacy email clients.

In addition to those vulnerabilities, last year, Okta researchers last year discovered that Microsoft's Active Directory Federation Services can allow potentially malicious actors to bypass MFA safeguards, as long as they can successfully MFA-authenticate to another user's account on the same ADFS service and have the correct password for other users. After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. However, for anyone who has not patched, the vulnerability persists.

Implications of Office 365 MFA bypass
The potential impact of an Office 365 MFA bypass is massive: Once attackers compromise Office 365 credentials, they can exfiltrate sensitive data. In cases where admin credentials are compromised, malefactors can gain the ability to scan email content across entire businesses, or create email forwarding rules to execute a phishing campaign targeting the employee's peers, while remaining undetected. These attacks can incur significant economic, brand, and compliance losses: some estimates suggest it could cost up to $2 million for an organization to conduct a large scale email compromise investigation including legal, forensics, data mining, manual review, notification, call center, and credit monitoring costs.

An example from last year: a group of nine Iranian nationals connected to the Mabna Institute illegally gained access to sensitive data from universities, at least 36 US businesses, private companies and government organizations through Office 365 — acquiring research the US had banned access to in Iran.

What can you do?
At the core of enforcing MFA on Office 365, you need to disable the use of basic authentication. Exchange Online added support for disabling basic authentication by creating "authentication policies" on Office 365 and applying these policies to users, so security teams need to ensure these are in place. However, defining and maintaining Exchange policies can be problematic with its reliance on PowerShell, meaning there is no corresponding graphic user interface for easy configurability.

The issue becomes easier to navigate when using client access policies from identity providers, which can be an effective approach to ensure that only MFA-enforced access is allowed through. These policies govern access to Office 365 based on attributes like client types, network location, user group membership and password-only versus password and MFA. However, applying these client access policies comes with trade-offs: native email clients on macOS and Android as well as older Windows Outlook app versions (older than 2013) that are not built with ADAL support cannot use modern authentication, and hence, will be prevented from accessing Office 365.

With attackers increasingly targeting corporate email, we need to give this issue the attention it deserves. Office 365 is the tip of the spear, as it is widely used and often attacked. MFA can be a robust control in preventing email-based breaches, but that only matters if it's implemented effectively. It is critical that IT admins and security teams ensure full MFA enforcement by investing in configuring, patching, and testing their Office 365 implementations for security flaws.

Related Content:

Yassir Abousselham is the chief security officer at Okta. As CSO, Yassir is responsible for upholding the highest level of security standards for both Okta's business and customers. Prior to Okta, Yassir served as chief information security officer at SoFi, managing the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.