Why Does MFA Sometimes Fail? Understanding the Limitations of Security Controls

Understanding the Advancements and Challenges in Enterprise Security

Why has Microsoft become a target for cybercriminals? One key reason is its dominance as a provider of both enterprise software and cloud services, such as the Microsoft 365 (M365) suite. However, with the growth and evolution of services, also come significant security challenges, with attackers finding new ways to bypass security controls, including the MFA protocol.

A Typical MFA Attack Scenario – What Can Go Wrong?

Let’s consider a typical scenario where you, as a CFO, receive an email from a known vendor requesting your digital signature. All seems to be in line with your normal business tasks:

• The email originates from a recognized address.
• The request ties into an ongoing business transaction.
• You were expecting this document for your signature.

You enter your login details on the Microsoft 365 page and approve the MFA request on your mobile device. Instead of accessing the document, you face an error or find yourself in your usual webmail inbox. Though mildly puzzled, you see no immediate cause for alarm and inform the sender about the missing document. Unbeknownst to you, a security breach has already occurred.

What is the Danger Behind the Scenes? The Threat of Session Hijacking

What you missed during the incident was that the vendor’s email account had been compromised long before this interaction. The attacker used a tool known as a man-in-the-middle (MITM) proxy to intercept your session token during the MFA authentication process, gaining full access to your Microsoft 365 environment. This access can lead to significant damages:

• Disruption of your emails and file management.
• The attacker can remain concealed by deleting sent emails and replies before you spark suspicion.
• The attacker can use your account to repeat similar attacks on your colleagues and external partners, capitalizing on your credibility.

Why Do These Attacks Occur? The Issue of Trust Exploitation

These attacks can occur due to the misuse of trust in MFA security mechanisms and well-established business relationships. Once the attacker infiltrates a trusted account, they can run highly effective phishing campaigns using ongoing conversations and business transactions to trick victims.

How Can You Defend Against MFA Bypass Attacks?

Even though MFA is a vital security control, it isn’t invulnerable. Attackers have found ways to circumvent it, necessitating the deployment of additional safeguards:

• Adopt phishing-resistant MFA: Techniques such as FIDO2 security keys or certificate-based authentication make it much more difficult to steal session tokens.
• Enable Conditional Access Policies: Limit login accesses based on factors such as device health, location, and risk signals to ward off unauthorized access.
• Monitor for suspicious session activity: Frequently review login patterns and check for anomalies such as unfamiliar device registrations or uncommon locations.
• Induct users about real-world attack scenarios: Security training should include advanced threats like MFA fatigue attacks and session hijacking, besides basic phishing emails.

The place of MFA as a vital security control is undeniable. However, it’s limitations must be recognized. As attackers improve their tactics, our defenses must keep pace. Security isn’t just about additional layers – it’s about having secure, effective layers.