MFA voor Micrsoft 365 is niet voldoende

26 juni 2020

Enige tijd geleden hebben we samen met Vectra de mogelijkheid geboden om mee te doen met een pilot programma rondom Microsoft 365 (voorheen Office 365). Verschillende organisatie hebben meegedaan met dit programma. Schrikbarend is hierin het onderzoek welke Vectra heeft uitgevoerd voor een Australische aanval. Lees hieronder het onderzoek (Engels):

The cause of the Australian Attack

A quick update on the how and why of the Australian Attack.

The state-backed actors responsible for the Australian attacks leveraged OAuth apps to gain unauthorized access to cloud accounts such as Microsoft Office 365. From what we know so far, the steps in the Australian attacks were:

1. The attackers created a malicious “Office 365 application, in addition to a suitable OAuth authorization URL, to be sent to target users as part of a spear-phishing link.” The app is made to appear legitimate; in this case, the app was named similarly to a well-known email filtering solution used extensively in Australian government.

2. On receipt, the malicious app convinces the victim to grant permission to access data in the user’s account. Notably, things like offline access, user profile information, and the ability to read, move and delete emails.

3. Once successful, the attacker would have direct access to an internal email. A perfect platform to either continue to phish other internal targets or to infect files in SharePoint or OneDrive.

More details are available from the Australian Cyber Security Center advisory and the excellent Risky.biz newsletter

Advisory 2020-008: Copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks

We expect to see more of this type of attack in the future. Spear-Phishing attacks are tough for email security solutions to detect, and by default, Office 365 allows end-users to enable Azure apps without administrators’ approval. Microsoft recommends customers to enable MFA, and that admins change the default settings not to allow end-users to install new Office 365 apps. This blunt “all or nothing” option further validates the importance of detection solutions. While preventative measures like MFA is designed to stop credential-based attacks; MFA can be and was evaded.

Attacks like these are something that Vectra Cognito Detect for Office 365 could have detected and stopped. Our detections for Suspicious Application Permissions are built to detect the installation of such apps. By analyzing events like logins, file creation/manipulation, DLP configuration, and mailbox routing configuration & automation changes, we accurately find attacker behavior patterns across the entire Attacker Kill Chain for Office 365.

Zorgwekkend is dat MFA dus niet voldoende is voor het beveiligen van de Microsoft 365 omgeving. Het is wachten op de eerste MFA bypass in Nederland.

Wilt u meer weten over Vectra en de detectie binnen Microsoft 365, neem contact met ons op via 0880002000 of sales@access42.nl

Microsoft 365 MFA fail