top of page

Phishing attacks bypassing MFA - again

In a recent blog post, Microsoft is describing the latest attempts to steal Microsoft365 credentials via social engineering i.e. phishing, even when a user is protected by multifactor authentication (MFA).

The novelty in this latest attempt is that Russia-based threat actors are trying to obtain credential tokens for MS365 services, but bypassing the relatively new "number matching" MFA protection. This one was introduced by Microsoft to thwart attacks against push-based mobile MFA apps and tackle the problem of MFA push bombing.

Number matching is a setting that forces the user to enter a number displayed in the push notification into their app to approve the authentication request. In this scenario, users cannot approve push requests without entering the numbers on the login screen. Number matching makes it impossible for users to accept the prompt in the push notification, without knowing the numbers.

In the latest campaigns, threat actors are asking victims to enter the number matching code into their Microsoft Authenticator app, once prompted.

The target user first receives a Microsoft Teams message request from an external user masquerading as a technical support or security team.

If the target user accepts the message request, the user then receives a Teams message from the attacker attempting to convince them to enter a code into the Microsoft Authenticator app on their mobile device. This part is effectively implementing an attacker-in-the-middle MFA bypass proxy solution, now part of the standard attacker toolkit.

Inviting user to enter the number into the MFA app
Inviting user to enter the number into the MFA app. Source: Microsoft

If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user. The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow.

The actor then proceeds to conduct post-compromise activity, which involves information theft and further lateral movement within the MS365 cloud tenant.

The Recommendation? Phishing resistant MFA - again

We all know passwords are woefully inadequate as the sole identity protection, and multifactor authentication (MFA) should be used as much as possible to protect all entry points into an organizations.

However, the innovations in attackers' phishing techniques show that even popular MFA methods (such as smartphone push based notifications) are rapidly becoming obsolete.

So it's no wonder Microsoft and other vendors are again recommending users to pilot and start deploying phishing-resistant authentication methods. These are relying on public key cryptography and physical tokens. Although more difficult to implement and maintain, a recent standard called FIDO2 is avoiding the most common complexities of such authentication methods, notably implementing a public key infrastructure (PKI).


bottom of page