According to researchers, attackers can exploit security vulnerabilities in a legacy protocol and identity provider solutions to bypass multi-factor authentication (MFA) for Microsoft 365.
Critical security gaps have been discovered by the security provider Proofpoint in cloud environments in which the authentication protocol Web Services Trust (WS-Trust) is activated. If these are exploited, attackers can have unrestricted access to victim accounts such as e-mails, files, contacts and other data.
According to Proofpoint, successful attacks on WS-Trust systems using faulty identity provider systems could forge Internet protocol addresses with a simple manipulation of the request header in order to bypass MFA.
Changing the web browser̵
The security protocol is part of the web services standard family and approved by the Organization for the Further Development of Structured Information Standards (OASIS).
Microsoft rejected the use of WS-Trust authentication in February of this year and described the protocol as “inherently insecure under current encryption standards”.
“In conjunction with a user account and a password, the WS-Trust security protocol implements an authentication process that shows the authentication resource both the user ID and the password in clear text and is based solely on the transport encryption provided. Security for the first part of the authentication, until the token service returns an authentication token to use, “Microsoft said.
WS-Trust will be discontinued for new Office 365 tenants until next month, but the security log will not be completely deleted until April 2022.
Using older email protocols that do not support MFA, such as POP and IMAP, can also bypass the additional authentication layer for attacks on cloud accounts, according to Proofpoint.
Other ways to bypass MFA are real-time phishing, Proofpoint said.
To do this, an attacker would have to set up a proxy that would mimic the authentic website victims who are trying to log in, but instead capture the users’ credentials.
The hijacking of MFA codes sent out of band with malware to phones and computers can also be a compromise.
Better monitoring to identify account tradeoffs and remediate attacks can help reduce MFA bypasses. This is an increasing problem as employees work from home during the COVID-19 pandemic, the security provider said.