Cybersecurity research firm Mandiant has observed a new trend where hackers are exploiting multifactor authentication (MFA) to exploit and gain access to dormant Microsoft accounts. MFA is an important tool used by organizations to improve security and thwart takeover attacks by hackers. However, there’s a catch.
Hackers are taking advantage of the self-enrollment process in the Azure Active Directory and other platforms. Usually, when an organization first enforces MFA, many platforms allow their users to immediately enroll for their MFA device. However, in Azure AD in its default configuration, there is no such enrollment enforced. This means that anyone who has the login credentials for an account can enroll in MFA as long as they are doing it for the first time on that account.
The Russian espionage group APT29 had earlier conducted a password guessing attack against a list of emails. For accounts that were set up but never used, the hacker group was able to use them to access the organization's VPN infrastructure. The VPN was using Azure AD for authentication and MFA.
Mandiant recommends that organizations ensure all active accounts have at least one MFA device enrolled and work with their platform vendor to add additional verifications to the MFA enrollment process. Microsoft Azure AD recently rolled out a feature to allow organizations to enforce controls around specific actions such as MFA device enrollment.
Organizations can also restrict the location of MFA registration to only trusted locations, such as an internal network or trusted devices. They can also use a temporary MFA pass to enroll in MFA when people first join or lose their MFA device.