Microsoft recently issued a warning that threat actors are adapting their techniques in order to bypass multi-factor authentication (MFA) protections.
Many companies and their employees access work resources from personal devices like a cell phone or home PC. These devices may be less managed making them a prime target for token theft. Token theft is a method increasingly being used by hackers, especially since it can be a relatively easy way to bypass MFA. Two common methods include Adversary-in-the-middle (AiTM) frameworks and pass-the-cookie attacks. Hackers use AiTM frameworks to intercept tokens. For example, a false framework can be inserted between an employee and a work application they are trying to access, and if successful, the bad actor can seize the user’s credentials and the generated MFA token. A pass-the-cooke attack will compromise browser cookies to gain access to corporate resources. If a hacker can break into a user’s device, they can steal a cookie that was already created and stored after authentication, and pass it to a different browser or system. This method would bypass company security checks.
Due to attacks being ever present, Microsoft has a few recommendations for staying safe. First is visibility; companies should know which devices employees are using to log into various resources. Using compliance tools along with other device-based conditional policies can make it easier to track and update devices with security patches, antivirus software, and more. Companies can also follow security baselines to decrease the risk of user’s devices being compromised or experiencing token theft. Phishing-resistant MFA solutions can be used for added protection. Lastly, users with advanced tenant privileges can be moved into a separate cloud-only identity, in case any on-premises services get compromised.
To learn more about bypass MFA attacks from how to detect and respond, to protecting your company, visit here.