Oreta has found that many organisations misconfigure MFA policies in their Microsoft 365 cloud environments. This can allow attackers to bypass MFA and gain unauthorised access to sensitive data.
Here are some of the most common MFA misconfigurations:
- Enabling MFA for only some users. This leaves users who are not required to use MFA vulnerable to attack.
- Allowing users to bypass MFA for certain applications or devices. This can make it easier for attackers to gain access to sensitive data.
- Not enforcing MFA for all sign-in attempts. This can allow attackers to gain access to an account by simply guessing the user’s password.
Organisations should carefully review their MFA policies to ensure that they are properly configured. They should also regularly test their MFA policies to ensure that they are working as intended.
Conditional Access Policies (CAPs) are a powerful tool for controlling access to Microsoft 365 and Azure AD resources. However, CAPs can be complex to configure and manage, and misconfigurations can lead to security vulnerabilities.
We have observed several CAP issues that can be used to bypass MFA. These issues include:
- Using the wrong conditions in a CAP rule. For example, a CAP rule that only applies to users in the United States could be bypassed by an attacker who logs in from another country.
- Excluding certain users or devices from a CAP rule. For example, a CAP rule that requires MFA for all users could be bypassed by an attacker who uses a device that is excluded from the rule.
- Not enforcing MFA for all sign-in attempts. For example, a CAP rule that requires MFA for all sign-in attempts could be bypassed by an attacker who uses a compromised password to log in.
Permitting Mobile Devices
To mitigate this risk, it is important to enforce MFA for all users, regardless of the device they are using. Additionally, organisations can implement additional security measures such as Mobile Device Management (MDM) or Mobile Application Management (MAM) compliance.
Unintentionally Permitting Linux Devices
Exempted Service Accounts
During penetration tests, Oreta consultants have found service accounts that have been in use since 2010 and have passwords like “Password1.” This is a major security risk.
To mitigate this risk, organisations should use Conditional Access Workload Identities (CAWI) to block untrusted external authentication events for service accounts. CAWI allows organisations to define policies that require service accounts to only authenticate from trusted locations.
In addition, organisations should use a privileged access management (PAM) solution to ensure that service accounts are secure. PAM solutions can help to manage service account passwords, enforce least privilege, and audit access to service accounts.
Opt-In Selective Enforcement
To mitigate this risk, MFA enforcement should be set to opt-out by default. This means that all users will be required to use MFA, unless they are explicitly exempted. Any exemptions should be carefully considered and audited.
By setting MFA enforcement to opt-out by default, organisations can help to ensure that all users are protected, regardless of when they joined the organisation.
Oreta ran a red team/blue team exercise on a client in the finance industry. In a red /blue team exercise, the red team is made up of offensive security experts who try to attack an organisation’s cybersecurity defences. The blue team defends against and responds to the red team attack. On a red team, Oreta obtained username and password credentials via a password spray. On authenticating to Microsoft 365 it was found that MFA was enforced through the browser. Typically, the tool MFASweep (dafthack, 2022) is executed to find low-hanging fruit in CAPs – by mimicking a mobile device – but this did not result in a bypass on this test. What is important to remember is that CAP is evaluated holistically. Many rules may be evaluated during a given authentication event. As a result, Oreta testers were able to brute-force combinations of known devices, applications, and Microsoft login endpoints to find the combination of CAP to obtain access. Upon authenticating with a Linux user agent and a spoofed “Windows Config Designer” source application ID to the Microsoft Graph API endpoint, the CAP were satisfied and provided the consultant access to the organisations cloud without the need for MFA.
- Exclusive by default
- Clear in purpose
- Properly labelled
- Consistently applied with minimal exceptions
- Regularly audited to detect abnormal login flows.
Contact us now to evaluate your MFA policies.