MFA bypass allows hackers to infiltrate Microsoft 365

Desktop monitor and mobile phone with hand pointing

Critical vulnerabilities in multi-factor authentication (MFA) protocols based on the WS-Trust security standard could allow cyber criminals to access various cloud applications including core Microsoft services.

Microsoft 365 is the most notable cloud service that can be infiltrated in such a way due to the way the platform’s session login is designed, according to Proofpoint, with hackers able to gain full access to a target’s account. Information including emails, files, contacts, among other data points would be vulnerable to such an attack.

This is in addition to the MFA bypass granting access to a host of other cloud services, including production and development environments such as Microsoft Azure as well as Visual Studio.

New Android banking trojan is able to bypass two-factor authentication Security flaw found in Google's "most secure" account authenticator Microsoft patches 129 flaws as big updates become new normal

The flaw lies in the implementation of the WS-Trust specification, an OASIS standard that is used for renewing and validating security tokens and establishing trusted connections. Proofpoint researchers claim that WS-Trust is inherently insecure and that Microsoft’s identity providers implemented the standard with a number of bugs.

These vulnerabilities can be exploited to allow an attacker, for example, to spoof their IP address to bypass MFA through a simple request header manipulation. Changing the user-agent header, in another example, may also cause the system to misidentify the protocol, and believe it to be using ‘modern authentication’.

“Most likely, these vulnerabilities have existed for years. We have tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues,” Proofpoint said.

“Vulnerabilities require research, but once discovered, they can be exploited in an automated fashion. They are hard to detect and may not even appear on event logs, leaving no trace or hint of their activity. Since MFA as a preventative measure can be bypassed, it becomes necessary to layer additional security measures in the form of account compromise detection and remediation.”

With MFA becoming an essential and more widely-adopted additional layer of security to reinforce username-and-password logins, cyber criminals are certainly more attracted to identifying and implementing bypasses.

This is particularly pertinent during the coronavirus crisis, where the mass shift to remote and home working meant critical apps and services were being accessed from insecure locations, with protocols such as MFA in place to bolster cyber security.

IT Pro approached Microsoft for comment but had not received a response at the time of writing.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.