Sunday, 23 Jun 2024

Advisory: Persistent MFA Circumvention in an Advanced BEC Campaign on Microsoft 365 Targets

first factor requirement satisfied by claim in the token

Mitiga recently uncovered a sophisticated business email compromise campaign that specifically targets Microsoft 365 organizations. This campaign exploits vulnerabilities within Microsoft 365 MFA (multi-factor authentication), Microsoft Authenticator, and Microsoft 365 Identity Protection, effectively bypassing the added security measures supposedly provided by MFA. Even accounts with enabled MFA are at risk of full compromise.


Mitiga’s investigation began with a thwarted Business Email Compromise (BEC) attack. Although the involved parties managed to prevent the fraud, the attack revealed that the attacker had obtained access to sensitive information that could only be acquired by compromising a user within the organization.

Indicators of Compromise Analysis

During the investigation, Mitiga discovered unauthorized access to the Microsoft 365 user account of an executive from various locations, including Singapore, Dubai, and San Jose, California. The initial compromise occurred through an adversary-in-the-middle (AiTM) phishing technique, granting the attacker access to the executive’s account and mailbox.

Further examination of the compromised account revealed the presence of a second Authenticator app that had been set up without the user’s knowledge. This allowed the attackers to retain persistence within the compromised account, rendering MFA ineffective.

Microsoft 365 MFA Weaknesses Analysis

While an AiTM technique already grants full access to an attacker, additional compensating controls should be in place to mitigate the risk. One crucial control is the implementation of an MFA challenge, triggering the request for the second factor of authentication in situations involving suspected risks like accessing resources from a new IP address, requesting elevated permissions, or using highly sensitive applications.

Tham Khảo Thêm:  The Significance of the Prada Logo and Brand: A Story of Evolution

By default, Microsoft evaluates the existing token in the active session to determine whether a new MFA challenge is necessary. If the session was previously authorized with MFA, Microsoft does not require a new challenge. This behavior is reflected in the sign-in logs as “Previously satisfied – MFA requirement satisfied by claim in the token.” Unfortunately, Microsoft does not offer customers flexibility in this regard, preventing them from configuring enhanced controls to bolster security.

Two examples highlight the severity of this issue. First, the Privileged Identity Management (PIM) feature allows administrative users to operate with non-administrative rights, only elevating permissions to an administrator when necessary. However, Microsoft does not permit customers to require an MFA re-challenge for this activity, despite its inherent risk. Consequently, if an account with PIM enabled is compromised, an attacker can gain administrator privileges by accessing the PIM portal themselves. Although the user receives a notification when this privilege is activated, it still poses a significant security risk.

Secondly, Microsoft does not mandate an MFA re-challenge when accessing and modifying user authentication methods through the Security Info section of the account profile. Consequently, a user with a Previously Satisfied token can add a new Authenticator app without an MFA re-challenge. This means that even a brief compromise of an account allows an attacker to establish persistence using this technique and reauthenticate with MFA when the session expires or is revoked. Organizations cannot prevent this technique even if they enforce a strict MFA expiration time of one day.

The investigation logs exemplify this vulnerability. At 8:32:09, the attacker initiated a security info registration, creating a new Authenticator app, completing the process within 5 seconds, without requiring MFA. Furthermore, at 8:31:27, the attacker accessed the “My Access” portal, which necessitates MFA, successfully bypassing it through Conditional Access. However, a closer inspection reveals that no actual MFA occurred during that session, as it was previously satisfied by the token.

Tham Khảo Thêm:  Eireview - Extractive Industries Review

Regrettably, Microsoft does not offer a solution to this problem. Configuring Microsoft 365 to require an MFA re-challenge for this type of activity or any other activity is not possible. While Microsoft Identity Protection flags some of these sign-ins as risky, the default behavior is to require an MFA re-challenge, which is ineffective once the attacker has already set up the Authenticator app.

Conclusion & Recommendations

Over the years, MFA has been heralded as a defense against phishing attacks, becoming a standard in most organizations. However, attackers have developed techniques like AiTM to overcome this added security layer. While it may be challenging to prevent such attacks without additional controls, containing and limiting their scope is relatively straightforward. Requiring an MFA re-challenge for security-related activities and risky sign-ins would significantly mitigate the risk. Unfortunately, Microsoft does not currently offer these capabilities.

In light of the growing prevalence of AiTM attacks, it is evident that multi-factor authentication alone can no longer serve as the primary defense against identity attacks. We strongly recommend implementing an additional layer of defense in the form of a third factor tied to a physical device or the employee’s authorized laptop and phone. Microsoft 365 offers this measure as part of Conditional Access, enforcing authentication exclusively through an enrolled and compliant device, effectively preventing AiTM attacks.

Frequently Asked Questions

  1. What is an AiTM attack?
    AiTM stands for adversary-in-the-middle. It is a phishing technique that allows attackers to intercept and manipulate communications between two parties, often resulting in compromised accounts and sensitive information being compromised.

  2. Is multi-factor authentication (MFA) still effective?
    While MFA adds an extra layer of security, this article highlights potential weaknesses in Microsoft 365’s MFA implementation. It’s crucial to implement additional layers of defense and consider other factors, such as conditional access and physical device authentication.

  3. How can organizations enhance their security against identity attacks?
    In addition to MFA, organizations should consider implementing a third factor of authentication tied to a physical device or authorized laptop and phone. This extra layer of defense can significantly mitigate the risk of attacks like AiTM.

Tham Khảo Thêm:  How to Recover Deleted Snapchat Messages?


As technology evolves, so do the tactics used by attackers. The advanced business email compromise campaign targeting Microsoft 365 organizations serves as a reminder that relying solely on multi-factor authentication may not be sufficient. By understanding the vulnerabilities within Microsoft 365 MFA and implementing additional security measures, organizations can better protect themselves against identity attacks. Remember to explore the options available through Conditional Access and consider the use of physical devices for authentication. Stay vigilant and always prioritize the security of your digital assets.

For more information, visit Eireview.