Business Email Compromise: Attacks Immune to Multi-Factor Authentication

They’ve come back around…those business email compromises, which were all too common in the late 2010s.

Unfortunately, we have seen many of these in recent weeks, even with multi-factor authentication (MFA) in place. We know that threats evolve, and maybe it’s just me, but I didn’t expect it to happen this fast.

Some of these compromises have been straightforward, a user simply giving up their password and six-digit code to the much more sophisticated Adversary in the Middle (AiTM) attacks. AiTM attacks specialize in getting past MFA protection.

It’s important to note, communicate, and even stress, to our users that these attacks start as an email from a trusted third party who is compromised. From what we’ve seen, these emails come looking like a Microsoft notification requesting a login to SharePoint or another product.

It’s important that the user verify with the source of the request, outside of email, before clicking. Also, be mindful of the URL of the site they are logging into…. better yet, just log in outside of the email link to the trusted site.

Considering a picture is worth 1,000 words, here’s Microsoft’s diagram of how these AiTM attacks work:

Here are some ways to prevent AiTM attacks against Azure Active Directory and M365. Remember that we still need to protect against other attacks, so remember that these are in addition to what we already do (MFA, training, email filters, etc.).

1. FIDO2 Security Keys– This is our top recommendation mainly because it’s the easiest solution to deploy. FIDO security keys are physical devices that are associated with your user ID in advance and must be plugged into a USB port or be physically near a system to log in as your user ID on that system. An attacker would need to steal the physical key to be able to take over your account. They can be used in addition to user passwords or can be used to eliminate passwords altogether.
   
   
2. Windows Hello for Business– From Microsoft: “Windows Hello for Business is ideal for information workers that have their own designated Windows PC. The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner. With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.” Understand that this will not protect users easily on shared workstations or users who access with systems other than Windows, but if your users only use dedicated Windows workstations and do not have the ability to add additional devices, this will protect them.
   
   
3. Certificate-Based Authentication– Custom certificates make it impossible for an attacker's proxy in the middle to decipher the exchange between the user and the target site, making an AiTM attack much harder to perform. Certificate-based authentication is configurable in Azure.
   
   
4. Conditional Access– consider some of these in addition to MFA:

• Require Device to be Marked as Compliant– This rule requires the device to not be compromised and meet security conditions prior to accessing institution applications or data.
• Require Device to be Marked as Hybrid Azure AD device– Similar to the rule above, security standards must be met for the device to authenticate. Examples of these standards are a supported operating system, not jailbroken, etc.
• Trusted locations– This could list the specific IPv4 ranges or country/regions.

AiTM attacks have become all too common lately, so please consider spreading the word to your team and considering adding some additional security layers for these attacks. If you need help or have any questions, please contact us at support@bedelsecurity.com.

Sources:

Great post with more information on the conditional access controls: https://jeffreyappel.nl/tips-for-preventing-against-new-modern-identity-attacks-aitm-mfa-fatigue-prt-oauth/

https://jeffreyappel.nl/aitm-mfa-phishing-attacks-in-combination-with-new-microsoft-protections-2023-edt/