MFA bypass allows hackers to infiltrate Microsoft 365

Hackers could exploit errors in the ‘inherently insecure’ protocol implemented on widely-used cloud services

Desktop monitor and mobile phone with hand pointing

Critical vulnerabilities in multi-factor authentication (MFA) protocols based on the WS-Trust security standard could allow cyber criminals to access various cloud applications including core Microsoft services.

Microsoft 365 is the most notable cloud service that can be infiltrated in such a way due to the way the platform’s session login is designed, according to Proofpoint, with hackers able to gain full access to a target’s account. Information including emails, files, contacts, among other data points would be vulnerable to such an attack.

This is in addition to the MFA bypass granting access to a host of other cloud services, including production and development environments such as Microsoft Azure as well as Visual Studio.

The flaw lies in the implementation of the WS-Trust specification, an OASIS standard that is used for renewing and validating security tokens and establishing trusted connections. Proofpoint researchers claim that WS-Trust is inherently insecure and that Microsoft’s identity providers implemented the standard with a number of bugs.

These vulnerabilities can be exploited to allow an attacker, for example, to spoof their IP address to bypass MFA through a simple request header manipulation. Changing the user-agent header, in another example, may also cause the system to misidentify the protocol, and believe it to be using ‘modern authentication’. 

“Most likely, these vulnerabilities have existed for years. We have tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues,” Proofpoint said.

“Vulnerabilities require research, but once discovered, they can be exploited in an automated fashion. They are hard to detect and may not even appear on event logs, leaving no trace or hint of their activity. Since MFA as a preventative measure can be bypassed, it becomes necessary to layer additional security measures in the form of account compromise detection and remediation.”

With MFA becoming an essential and more widely-adopted additional layer of security to reinforce username-and-password logins, cyber criminals are certainly more attracted to identifying and implementing bypasses.

This is particularly pertinent during the coronavirus crisis, where the mass shift to remote and home working meant critical apps and services were being accessed from insecure locations, with protocols such as MFA in place to bolster cyber security.

IT Pro approached Microsoft for comment but had not received a response at the time of writing.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Microsoft unveils its new retail-focused cloud service
Cloud

Microsoft unveils its new retail-focused cloud service

14 Jan 2021
Microsoft more than doubles file size limit for SharePoint, Teams, and OneDrive
Microsoft Office

Microsoft more than doubles file size limit for SharePoint, Teams, and OneDrive

14 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021