Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/27/2019
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Office 365 Multifactor Authentication Done Right

Why the ubiquitous nature of Office 365 poses unique challenges for MFA-based security and how organizations can protect themselves.

Attacks like password spraying, brute force, and phishing have targeted Office 365 cloud users for years. Most incidents share a common thread: access to the right combinations of usernames and passwords along with legacy authentication mechanisms like basic authentication.

Attacks targeting email accounts protected only by single factor authentication, such as a password — even a "strong" password — see a higher probability of success. Against these odds, MFA has become a necessary line of defense. Using strong factors discourages attacks by introducing an extra layer of authentication to complete the sign-in process.

To combat these attacks, enterprises and users have layered security through the enforcement of multifactor authentication (MFA) for Office 365. (Disclaimer: Okta is a provider of MFA technology, along with many other security vendors.) While MFA is widely recognized as a trusted security measure and deployed by organizations to protect against cyber threats, the ubiquitous nature of Office 365 poses a unique challenge for MFA-based security: MFA can be bypassed, and it can occur without extraordinary levels of sophistication. To mitigate the risk of bypass, organizations need to understand the MFA bypass techniques for Office 365 and take steps to ensure these two technologies can coexist to keep future attacks at bay.

Bypassing MFA Through Office 365
While MFA can provide efficient protection, and many organizations have invested in MFA technology, not everyone has implemented the control effectively to protect access to Office 365.

While Microsoft Exchange does provide a mechanism for enforcing MFA using modern authentication — an umbrella term for a combination of authentication and authorization methods — it is not supported on every sign-in method supported by Office 365. In fact, only OWA and email clients built with Azure Active Directory Authentication Libraries (ADAL) support use the modern authentication flow, while legacy clients use only basic authentication, which relies only on a username and password, without requiring an MFA factor.

Possible scenarios that could potentially break or limit MFA enforcement on Office 365 include:

  • Legacy protocols like POP and IMAP which can only support basic authentication.
  • Access protocols that support modern authentication, like Exchange ActiveSync, Exchange Web Service (EWS), MAPI and PowerShell, that can be defaulted to use basic authentication.
  • Not all email clients are built with ADAL/modern authentication support, limiting access for some users from legacy email clients.

In addition to those vulnerabilities, last year, Okta researchers last year discovered that Microsoft's Active Directory Federation Services can allow potentially malicious actors to bypass MFA safeguards, as long as they can successfully MFA-authenticate to another user's account on the same ADFS service and have the correct password for other users. After being notified about the vulnerability and independently validating it, Microsoft produced a patch to address it. However, for anyone who has not patched, the vulnerability persists.

Implications of Office 365 MFA bypass
The potential impact of an Office 365 MFA bypass is massive: Once attackers compromise Office 365 credentials, they can exfiltrate sensitive data. In cases where admin credentials are compromised, malefactors can gain the ability to scan email content across entire businesses, or create email forwarding rules to execute a phishing campaign targeting the employee's peers, while remaining undetected. These attacks can incur significant economic, brand, and compliance losses: some estimates suggest it could cost up to $2 million for an organization to conduct a large scale email compromise investigation including legal, forensics, data mining, manual review, notification, call center, and credit monitoring costs.

An example from last year: a group of nine Iranian nationals connected to the Mabna Institute illegally gained access to sensitive data from universities, at least 36 US businesses, private companies and government organizations through Office 365 — acquiring research the US had banned access to in Iran.

What can you do?
At the core of enforcing MFA on Office 365, you need to disable the use of basic authentication. Exchange Online added support for disabling basic authentication by creating "authentication policies" on Office 365 and applying these policies to users, so security teams need to ensure these are in place. However, defining and maintaining Exchange policies can be problematic with its reliance on PowerShell, meaning there is no corresponding graphic user interface for easy configurability.

The issue becomes easier to navigate when using client access policies from identity providers, which can be an effective approach to ensure that only MFA-enforced access is allowed through. These policies govern access to Office 365 based on attributes like client types, network location, user group membership and password-only versus password and MFA. However, applying these client access policies comes with trade-offs: native email clients on macOS and Android as well as older Windows Outlook app versions (older than 2013) that are not built with ADAL support cannot use modern authentication, and hence, will be prevented from accessing Office 365.

With attackers increasingly targeting corporate email, we need to give this issue the attention it deserves. Office 365 is the tip of the spear, as it is widely used and often attacked. MFA can be a robust control in preventing email-based breaches, but that only matters if it's implemented effectively. It is critical that IT admins and security teams ensure full MFA enforcement by investing in configuring, patching, and testing their Office 365 implementations for security flaws.

Related Content:

Yassir Abousselham is the chief security officer at Okta. As CSO, Yassir is responsible for upholding the highest level of security standards for both Okta's business and customers. Prior to Okta, Yassir served as chief information security officer at SoFi, managing the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1633
PUBLISHED: 2020-04-09
Due to a new NDP proxy feature for EVPN leaf nodes introduced in Junos OS 17.4, crafted NDPv6 packets could transit a Junos device configured as a Broadband Network Gateway (BNG) and reach the EVPN leaf node, causing a stale MAC address entry. This could cause legitimate traffic to be discarded, le...
CVE-2020-8834
PUBLISHED: 2020-04-09
KVM in the Linux kernel on Power8 processors has a conflicting use of HSTATE_HOST_R1 to store r1 state in kvmppc_hv_entry plus in kvmppc__tm, leading to a stack corruption. Because of this, an attacker with the ability run code in kernel space of a guest VM can cause the host kernel to...
CVE-2020-11668
PUBLISHED: 2020-04-09
In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.
CVE-2020-8961
PUBLISHED: 2020-04-09
An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific loc...
CVE-2020-7922
PUBLISHED: 2020-04-09
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are u...