Many organizations and their employees believe that email is a secure method of communication, but unfortunately, it’s not. Every business is just one wrong click away from ransomware exposure, funds transfer fraud, and business email compromise. What’s worse is that these odds increase depending on your email provider.
According to our policyholder data, organizations that use Microsoft Office 365 are more than 3X as likely to experience a business email compromise when compared to Google’s Gmail.
Malicious actors have developed sophisticated techniques that can be difficult, if not impossible, for the trained eye to detect. That’s why we always suggest companies use an additional authentication method, both for email and all other programs where it’s supported.
Unfortunately, Office 365 users are still vulnerable even if they use multi-factor authentication (MFA), thanks to a new method of attacker deception. Here’s what we know.
Multi-factor authentication (also known as two-factor authentication or 2FA) is a security measure that adds a layer of protection to systems by requiring at least one additional verification step beyond a username and password. With MFA, users must also provide a digital token or code that is provided by a secondary device (often a phone) in the physical possession of the user in order to gain access to their account.
Despite the safety benefits of MFA, attackers have found a workaround for Office 365 email accounts who have multi-factor authentication in place.
The way attackers bypass MFA is by sending a request to the owner of the email account asking for permission to access an application (SharePoint, Microsoft Graphics, etc). They use OIDC (OpenID Connect) to authenticate the user who grants the permission and then OAuth2 (Open Authorization) to delegate access for the application. If the legitimate account owner grants permission, the attacker receives authorization which they use to log in, gaining access to that account indefinitely.
The authorization code that is sent from the Microsoft Identity Platform is used as an access token that is presented by the application to Microsoft Graph. Attackers have learned to use these Microsoft Graph authorizations in order to access Office 365 data on behalf of the user without their login credentials.
Pro tip: The only way a user will notice anything suspicious is by checking the redirect URL, which will not be a legitimate Microsoft website.
If a user does grant permission, an administrator will need to login to Azure AD and review the 3rd party enterprise applications. They will also need to review what individual users have consented and revoke the application access. We also advise checking for any modifications to the settings, such as disabling MFA which the attackers often do once they are in the account.
Here are a few additional steps you can take to mitigate risk:
Users should not be able to register applications without admin approval
Users should not be able to consent to apps accessing data on their behalf
Conditional access is the only current fix to allow for MFA to prompt users every login
Disable all legacy authentication
Coalition’s Claims and Security Incident Response teams respond immediately to keep our policyholders safe after an incident, at no additional cost. If you have questions about enabling MFA on Office 365, or other cybersecurity-related inquiries, reach out to our team.