Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/27/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Office 365 Multifactor Authentication Done Right

Why the ubiquitous nature of Office 365 poses unique challenges for MFA-based security and how organizations can protect themselves.

Attacks like password spraying, brute force, and phishing have targeted Office 365 cloud users for years. Most incidents share a common thread: access to the right combinations of usernames and passwords along with legacy authentication mechanisms like basic authentication.

Attacks targeting email accounts protected only by single factor authentication, such as a password — even a "strong" password — see a higher probability of success. Against these odds, MFA has become a necessary line of defense. Using strong factors discourages attacks by introducing an extra layer of authentication to complete the sign-in process.

To combat these attacks, enterprises and users have layered security through the enforcement of multifactor authentication (MFA) for Office 365. (Disclaimer: Okta is a provider of MFA technology, along with many other security vendors.) While MFA is widely recognized as a trusted security measure and deployed by organizations to protect against cyber threats, the ubiquitous nature of Office 365 poses a unique challenge for MFA-based security: MFA can be bypassed, and it can occur without extraordinary levels of sophistication. To mitigate the risk of bypass, organizations need to understand the MFA bypass techniques for Office 365 and take steps to ensure these two technologies can coexist to keep future attacks at bay.

Bypassing MFA Through Office 365
While MFA can provide efficient protection, and many organizations have invested in MFA technology, not everyone has implemented the control effectively to protect access to Office 365.

While Microsoft Exchange does provide a mechanism for enforcing MFA using modern authentication — an umbrella term for a combination of authentication and authorization methods — it is not supported on every sign-in method supported by Office 365. In fact, only OWA and email clients built with Azure Active Directory Authentication Libraries (ADAL) support use the modern authentication flow, while legacy clients use only basic authentication, which relies only on a username and password, without requiring an MFA factor.

Possible scenarios that could potentially break or limit MFA enforcement on Office 365 include:

  • Legacy protocols like POP and IMAP which can only support basic authentication.
  • Access protocols that support modern authentication, like Exchange ActiveSync, Exchange Web Service (EWS), MAPI and PowerShell, that can be defaulted to use basic authentication.
  • Not all email clients are built with ADAL/modern authentication support, limiting access for some users from legacy email clients.

In addition to those vulnerabilities, last year, Okta researchers last year discovered that Microsoft's Active Directory Federation Services can allow potentially malicious actors to bypass MFA safeguards, as long as they can successfully MFA-authenticate to another user's account on the same ADFS service and have the correct password for other users. After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. However, for anyone who has not patched, the vulnerability persists.

Implications of Office 365 MFA bypass
The potential impact of an Office 365 MFA bypass is massive: Once attackers compromise Office 365 credentials, they can exfiltrate sensitive data. In cases where admin credentials are compromised, malefactors can gain the ability to scan email content across entire businesses, or create email forwarding rules to execute a phishing campaign targeting the employee's peers, while remaining undetected. These attacks can incur significant economic, brand, and compliance losses: some estimates suggest it could cost up to $2 million for an organization to conduct a large scale email compromise investigation including legal, forensics, data mining, manual review, notification, call center, and credit monitoring costs.

An example from last year: a group of nine Iranian nationals connected to the Mabna Institute illegally gained access to sensitive data from universities, at least 36 US businesses, private companies and government organizations through Office 365 — acquiring research the US had banned access to in Iran.

What can you do?
At the core of enforcing MFA on Office 365, you need to disable the use of basic authentication. Exchange Online added support for disabling basic authentication by creating "authentication policies" on Office 365 and applying these policies to users, so security teams need to ensure these are in place. However, defining and maintaining Exchange policies can be problematic with its reliance on PowerShell, meaning there is no corresponding graphic user interface for easy configurability.

The issue becomes easier to navigate when using client access policies from identity providers, which can be an effective approach to ensure that only MFA-enforced access is allowed through. These policies govern access to Office 365 based on attributes like client types, network location, user group membership and password-only versus password and MFA. However, applying these client access policies comes with trade-offs: native email clients on macOS and Android as well as older Windows Outlook app versions (older than 2013) that are not built with ADAL support cannot use modern authentication, and hence, will be prevented from accessing Office 365.

With attackers increasingly targeting corporate email, we need to give this issue the attention it deserves. Office 365 is the tip of the spear, as it is widely used and often attacked. MFA can be a robust control in preventing email-based breaches, but that only matters if it's implemented effectively. It is critical that IT admins and security teams ensure full MFA enforcement by investing in configuring, patching, and testing their Office 365 implementations for security flaws.

Related Content:

Yassir Abousselham is the chief security officer at Okta. As CSO, Yassir is responsible for upholding the highest level of security standards for both Okta's business and customers. Prior to Okta, Yassir served as chief information security officer at SoFi, managing the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11749
PUBLISHED: 2020-07-13
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2.
CVE-2020-5766
PUBLISHED: 2020-07-13
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a remote, unauthenticated attacker to determine the value of database fields.
CVE-2020-15689
PUBLISHED: 2020-07-13
Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, mishandles an HTTP request with a Range header that lacks an exact range. This may result in a NULL pointer dereference and cause a denial of service.
CVE-2019-4591
PUBLISHED: 2020-07-13
IBM Maximo Asset Management 7.6.0 and 7.6.1 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 167451.
CVE-2019-20907
PUBLISHED: 2020-07-13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.