Multi-Factor Authentication: We hear so much about it.
It is 100% required across all applications, albeit on-prem or cloud, but traditional MFA does not guarantee you are protected.
The most common incident we have responded to since the inception of Tarian Cyber, similar to most Incident Response firms, is Business Email Compromise (BEC).
These compromises lead to brand damage (having to explain to clients or suppliers that an account of yours was compromised) or significant financial damage, such as invoice fraud or intercepting payment communications.
From the incidents that we have responded to, nearly all have Multi-Factor – so what gives?
Token Theft or Adversary-in-the-Middle (AiTM) attacks have been a common attack vector over the last few years. We have seen token theft increase year on year since the pandemic due to the muscle memory we have all developed by scanning QR codes.
Token theft can be performed in a number of ways but the most prevalent is through Phishing. If successfully phished, the user’s session cookie is captured, which allows attackers to bypass authentication processes such as your traditional MFA.
So you have MFA enforced either per user or tenant wide with Number matching, great – but you are not safe!
If a session token is stolen through the above scenario, the account is still compromised.
So what are your options?
There are a few options to bolster MFA; some are costly and can be difficult to implement or cause interruptions across the organisation, so selecting the right one for your organisation is important.
- Move to Phishing-resistant authentication (FIDO2 Standard) hardware-based authenticator methods such as YubiKeys or Windows Hello for Business
- Configure Conditional Access Policies to require devices to be marked as compliant through Intune
- Configure Conditional Access Policies to reduce the lifetime of a session
- Configure Conditional Access Policies to only allow certain geographic zones to complete authentication (bypassable – keep reading)
In the above examples, the last three are what we see the most in enterprise environments.
On every single BEC incident we have responded to, there was a detection from Microsoft Entra ID, whether P1 or P2, that determined the sign-in as a high risk due to anomalous login features and impossible travel alerts. Outlining – 24/7 monitoring and alerting is everything.
With Entra P2, setting a risk-based conditional access policy to require MFA/Password reset on high-risk sign-ins is also recommended.
We are observing a rise of low cost VPN’s being utilised by the malicious actors to get around common geographic blocking. It is more important than ever to monitor this use case 24/7.
We also recommend the below elements to monitor and alert for:
- Ensure the Unified Audit Logging is enabled within 365
- Monitoring High-Risk Sign-ins
- Monitor logins from low-cost VPN Providers (ExpressVPN, Nord etc)
- Monitor for New Inbox Rules where specific actions are taken, such as deleting all emails
- Highly Permissive Application Consent such as “PerfectData Software” or “eM Client”
- Monitor and Identify MFA manipulations outside of the norm using behavioural observations through machine learning
- Inbound Email Monitoring, especially for QR Codes or emails from *onmicrosoft.com
All of these use cases are monitored with high priority, and some with automated responses to isolate the threat in our Managed Detection and Response service. To learn more, please visit: tarian.com.au/managed-soc
Jack Barry
Security Operations Manager
Tarian Cyber
