Microsoft has provided several mitigations against multi-factor authentication attacks that could make it more difficult for remote workers.
Three years ago, multi-factor authentication attacks (MFA) were so rare that Microsoft needed decent statistics. This was mainly because only a few organizations had enabled MFA.
Microsoft has noticed an increase in token theft by attackers trying to bypass MFA as MFA usage rises, and attacks on passwords become more frequent.
These attacks involve the attacker compromising a token issued to someone who has already completed MFA and replaying that token to gain access to a new device. OAuth 2.0 identity platforms, such as Azure Active Directory (AD), are based on tickets. They aim to make authentication more straightforward and efficient for users while still resisting password attacks.
Microsoft also warns that token theft is dangerous as it doesn’t require technical skills, and detection is difficult. Additionally, the technique is relatively new, so few organizations have mitigations.
Microsoft states in a blog post, “Recently, Microsoft Detection and Response Team(DART) has witnessed an increase in attackers using token theft for this reason.”
“By replaying and compromising a token that was issued to an identity who has completed multi-factor authentication, a threat actor validates MFA. Access is then granted to the appropriate organizational resources.” This tactic concerns defenders as the token theft mitigations available to organizations must be more well-known and challenging to detect.
Accessing web applications protected by Azure AD requires that the user present a valid token. This token can be obtained after they sign into Azure AD with their credentials. For example, administrators can create a policy that requires MFA for users to log in to an account via a browser. The web application validates the token issued to the user and then opens access.
Microsoft explains that “when the user is phished the malicious infrastructure captures both his credentials and the token.”
The attacker could use the token and credentials to launch multiple attacks if they are stolen. In addition, Microsoft highlights cybercrime as the leading cause of financial loss due to email compromises in business.
Microsoft warns against “Pass-the cookie” attacks. This is where an attacker compromises a device to extract browser cookies created after authentication with Azure AD from a web browser. Then, to bypass security checks, the attacker transmits the cookie to another browser.
“Users who access corporate resources via personal devices are particularly at risk. Microsoft points out that personal devices are often less secure than corporate-managed ones and IT staff have limited visibility to identify a compromise. Remote workers who use personal devices are at greater risk.
Microsoft suggests that token theft attacks against MFA be prevented by reducing token lifetimes and session lengths. However, this comes at a cost to the user. These mitigations include:
- The session’s lifetime can be reduced, increasing the likelihood that a user will need to re-authenticate.
- Token theft is more common when threat actors reduce the token’s viable time.
- Microsoft recommends that users connecting to unmanaged devices use Conditional Access App Control in Microsoft Defender for Cloud Apps.
Microsoft recommends that users use certificate-based authentication for security keys such as Windows Hello for Business or FIDO2 security keys.
Users with high-level privileges, such as Global Domain admin, should have a separate cloud-only identity. If an attacker compromises systems on-premises, this will reduce the attack surface to the cloud. Microsoft stated that these identities should not be attached to a mailbox.
Microsoft acknowledges that it is only sometimes practical for organizations to enforce device compliance and location controls on all applications.
