The Nightmares

     

     

    The Multi-Factor Authentication Loophole

    I was approached by the Head of IT for a 70-something person company via LinkedIn, wanting an independent review of their environment. I thought sure, let's talk to go over the details. This guy's company had an IT infrastructure of the future; the most well-prepared lead I had ever dealt with! Everyone in the company worked from home, connecting through a remote desktop, MFA was turned on for everyone, and they were all managed by Azure Active Directory (AD). On top of all that they already had tools* to monitor their environment. This was going to be the quickest and easiest review I had ever done! 😁

    Once they gave us an instance of their remote desktop, I logged into their Azure portal, checking sign-in logs via Azure Active Directory. Holy cow, the Head of IT's account was under attack every 17 seconds!!! A brute force attack was swiftly underway in Indonesia, now attempting a breach on all of the company's users. 

    But how could this happen? How could, with all the right tools, the Head of IT not even know this was going on? They even had an IT vendor supposedly taking care of them.

    Expanding the sign in details exposed a glaring, but simple mistake. The client was under a IMAP protocol attack. This attack bypasses MFA because IMAP doesn't support multi-factor authentication. This also includes the POP and SMTP protocols. It's a really easy but hard to swallow pill for the IT team to not allow the company to be using applications that use these protocols. Attacks like these are hanging fruit, no different from people clicking on phishing emails.

    How could this have been prevented?

    First, various notification rules could have been created. Considering they already had Active Directory Premium P1, they could have created a rule to block any sign-in attempts from outside the US. They could have also upgraded to apps that don't use the IMAP, POP3, or SMTP protocols. Lastly, they should have had a rule to send the global admin a notification of an attempted breach.

     

    How you solve it

    *Their infrastructure: Office 365 E3, Office Advanced Threat Protection Plan 1, Windows 10, Azure Active Directory (AD), Azure Multi-factor Authentication (MFA)

     

     

    The Hacker who Spammed all of the Company's Customers

    The CEO of a 45-person company approached us while one of their employees' email credentials were breached. The hijacked account was sending hundreds of spam emails to everyone in the company's contact list; employees, partners, and their customers! Within the hour, the Office Manager was getting calls, in which they responded with their new script, "are you calling because of some emails this morning?". Not a script you want using when talking to your customers...

    So we got on the phone with their CEO and their Director of IT. "We had Multi-Factor Authentication (MFA) setup so how could this have happened", they said. My initial thought was that this sounded weird. If MFA was on and someone breached the account having both the credentials and access to the cell phone, we'd be dealing with a serious intruder. So I asked,

    "Was MFA was turned on for everyone?"

    "Oh no, no, just for the executives, because that's who hackers are after anyways. It would have been annoying for everyone to authenticate using MFA". And there you had it, we weren't dealing with a serious intruder, but with an organizational mistake. 

    How could this have been prevented?

    Multi-factor authentication should be setup for everyone in the organization, not just for the executives. Hackers will try every account in the organization. In fact, it's not even a hacker typing away, trying at different accounts, but most likely a program they wrote that is going to automatically knock on every door, until it finds the easiest door to get into.

     How you solve it

     

    Get an expert opinion!

     

    Schedule a meeting