Microsofts Multi-Factor Authentication easily exploited by email compromise campaign (23rd Septembe

Ref# AL2022_61 | Date: Sep 23rd 2022


In August 2022, a business email compromise campaign has been targeting Microsoft 365 organizations, managing to exploit Microsofts Multi-factor authentication to gain unauthorized access to users” accounts.


Multi-factor authentication (MFA) is regarded as one of the best security methods for safeguarding and protecting user accounts and credentials. However, an MFA that is not configured correctly and effectively could lead to threat actors easily circumventing and bypassing the security measures in place and this is the case with Microsofts MFA. On August 24, 2022, a security firm called Mitiga reported on a sophisticated business email compromise (BEC) campaign that targeted an organization using Microsoft 365. The threat actors managed to exploit the weak default configurations used by Microsofts MFA and gained access to credentials and sensitive information.

How it works?

The campaign makes use of the adversary-in-the-middle (AiTM) phishing technique as its main entry point. In AiTM phishing, threat actors would deploy their proxy server between a targeted user and the website the user is trying to access. The proxy server is used to transmit HTTP packets to and from the website the user is trying to access which makes the phishing site very identical to the original website. When credentials and the MFA are sent by the user to the website for authentication, the proxy server will be able to sniff the credentials and returning authentication token from the session cookies. These session cookies and authentication token can then be used by the threat actor to bypass the MFA process.

For Microsofts MFA, the weakness lies in the default settings which is the MFA deciding when to require the second form of authentication. When analyzing an active login session, if the session was previously authorized then Microsoft MFA does not require the second form of authentication. It was also reported that Microsoft does not require a second form of authentication when accessing and changing user authentication methods on an account profile. A user in a previously authorized session can add a new authenticator app without any form of authentication.   


To circumvent this type of threat, users are advised to follow the steps below:

  1. Enable conditional access policies such as compliant or trusted devices and specific IP address requirements.
  2. Monitor for suspicious activities such as sign-in attempts with regards to location, ISP, user agent and services.
  3. Invest in advanced anti-phishing solutions to monitor and scan incoming emails and visited websites for malicious activities.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Microsoft”s Multi-factor Authentication easily exploited by email compromise campaign.pdf