Microsoft 365: Attackers can break the authentication

Microsoft uses an insecure system for the important two-way authentication for its Microsoft 365 services. This was announced by the security researchers at Proofpoint, who found several vulnerabilities in the WS-Trust standard behind it.

Proofpoint researchers recently discovered a serious vulnerability in the implementation of multi-factor authentication (MFA) in a WS-Trust-enabled cloud environment. These vulnerabilities may allow attackers to bypass MFA and access cloud applications that use the protocol, especially Microsoft 365. Due to the way that Microsoft 365 session login is designed, attackers can gain access to the target account (including mail, files, contacts, data, etc.). In addition, these vulnerabilities can also be used to access various other cloud services provided by Microsoft, including production and development environments (such as Azure and Visual Studio).

The vulnerability was announced by Proofpoint and demonstrated at our virtual user conference Proofpoint Protect. These vulnerabilities may have existed for many years. We have tested multiple identity provider (IDP) solutions, identified those vulnerable to attack, and resolved security issues.

The vulnerability is the result of various errors in the implementation of the “Inherently Insecure Protocol” (WS-Trust) described by Microsoft and IDP. In some cases, attackers can spoof their IP addresses through simple request header manipulation to bypass MFA.

In another case, changing the user-agent header would cause IDP to misidentify the protocol and think that the protocol is using modern authentication. In all cases, Microsoft records the connection as “modern authentication” due to the conversion from the old protocol to the modern one. Without understanding the situation and the risks involved, administrators and security professionals monitoring tenants will see connections established through modern authentication.

Vulnerabilities need to be studied, but once discovered, they can be exploited in an automated way. They are difficult to detect and may not even appear in the event log without leaving any traces or prompts. Since MFA can be bypassed as a preventive measure, it is necessary to layer additional security measures in the form of account intrusion detection and remediation.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) has quickly become an essential security layer for cloud applications. During the global pandemic, as organizations move to work from home, the demand for cloud-based applications such as messaging and collaboration platforms has surged. Employees began to access company applications from personal and unmanaged devices. They began to spend more time on their company devices at home, reading potentially harmful personal emails, or browsing risky websites.

Some common MFA bypass methods are real-time phishing, channel hijacking, and the use of old protocols.

Real-time phishing

Unlike regular phishing, real-time phishing involves additional factors that steal users. In some cases, the attacker may create a “proxy” between the target website and the victim. The “proxy” looks similar to the original website. Attackers use this imposter site to manipulate victims to hand over authentication codes and their credentials to them. Tools such as Modlishka can be used to automate such attacks. However, attackers must frequently update their tools to avoid detection by large vendors and require more complex infrastructure.

Legacy protocols

A cheaper and more scalable way to bypass MFA uses the old protocol to attack cloud accounts. Many organizations continue to allow legacy protocols to support legacy devices or applications (such as photocopiers) or shared accounts (such as meeting rooms). Traditional email protocols such as POP and IMAP do not support MFA for non-interactive applications, so they cannot be enforced. This bypass method is easily automated and applied to credential dumps from the Web or credentials obtained from phishing. Even if organizations start to block the old agreement or only allow certain users to use the old agreement, the problem still exists.

Channel hijacking

Channel hijacking usually uses malware to attack the victim’s phone or computer. PC malware can use the administrator or network injection in the browser to obtain information. Some malware will steal MFA from mobile phones. In some cases, attackers even steal text messages directly through cellular towers or rouge cellular towers, take over the victim’s phone number or hack into their voice answering machine.