A business email compromise campaign is exploiting weaknesses in Microsoft 365 products. (Stephen Brashear/Getty Images)

Researchers spotted a sophisticated business email compromise (BEC) campaign targeting Microsoft 365 organizations, leveraging inherent weaknesses in Microsoft 365 Multi-Factor Authentication (MFA), Microsoft Authenticator, and Microsoft 365 Identity Protection.

In a Wednesday blog post, Mitiga researchers said these weaknesses effectively nullified the added security allegedly provided by MFA, allow for full compromise even of accounts that have enabled MFA.

During the investigation, Mitiga researchers said they identified unauthorized access to the Microsoft 365 user of an executive in the organization from multiple locations, including Singapore, Dubai, and San Jose, California. The initial compromise leveraged what’s known as an adversary-in-the-middle (AiTM) phishing technique for initial access, giving the attacker access to the executive’s account and mailbox.

However, the researchers said further investigation of the compromised account detected that a second Microsoft Authenticator app had been set up for the user without their knowledge. This gave the attackers full persistency of the breached account and effectively nullified the value of MFA, which the researchers said was of grave concern. Given the accelerated growth of AiTM attacks, the researchers said it’s clear that they can no longer rely on MFA as the main line of defense against identity attacks.

“We strongly recommend setting up another layer of defense, in the form of a third factor, tied to a physical device or to the employee’s authorized laptop and phone,” said the researchers. “Microsoft 365 offers this as part of Conditional Access by adding a requirement to authenticate via an enrolled and compliant device only, which would completely prevent AiTM attacks.”

Alon Nachmany, Field CISO at AppviewX, said that the security industry has been pushing MFA as an important way to mitigate phishing attacks – and that’s still very true. Nachmany said while 2FA has in the past been synonymous with MFA the difference is that the industry will require an additional factor.

“This can be in the form of a certificate, either a user cert on an employee credential or a machine cert to ensure this is a request from a corporate device,” Nachmany said. “When I was the CISO for NHLD, we used location as the third factor ensuring that our employees were in the U.S., if someone was traveling internationally they would have to submit their itinerary and we would allow it for those countries on those dates.”

Adrien Gendre, chief technology and product officer at Vade, added that MFA has been viewed by some — and wrongly so — as a silver bullet, when in fact it’s often a double-edged sword. First, Gendre said it can be relatively useless when an account gets compromised, at least for a short period of time. Second, it can create a false sense of security.

“This particular attack is a perfect example of hackers turning our defenses against us,” Gendre said. “MFA should absolutely be deployed in every organization to improve security, but it should be just one of many security layers in place to prevent breaches like this. Stacking the layers ensures that a potential threat must pass through multiple layers of security. And if each of those fail, and they sometimes do, there should be incident response tools and procedures in place to quickly remediate the situation."

Patrick Harr, CEO at SlashNext, said MFA is still an effective mitigation against phishing because it increases the difficulty of leveraging compromised credentials to breach an organization.

“Yet, MFA is not foolproof,” Harr said. “Last year, CISA warned cybercriminals are using the cloud to bypass MFA. Microsoft 365 is a high-value target since it’s the most compromised cloud service, and organizations rely heavily on Microsoft and MFA for protection. Combining BEC, credential stealing, and malicious tactics to bypass MFA for financial and data theft could be the magic ticket for cybercriminals.”