Office 365/G Suite – Bypassing MFA…

office 365 mfa bypassOffice 365 and G Suite MFA bypass

Multi-factor authentication (MFA) has been shown to be a critical control to prevent business email compromise (BEC) as well as compromise of other critical systems. Recently, some information came to light about attacks on Office 365 and G Suite applications that bypass the protection of MFA.

These attacks use IMAP (Internet Message Access Protocol) exposure and password compromise techniques to acquire usernames and passwords, and perpetuate a variety of attacks. There are two types of attacks that are commonly leveraged for password discovery – brute force attacks, and password spraying. The difference is in the methodology employed:

  • Brute force attacks attempt to leverage a single user account at a time, and test a variety of passwords in succession. This attack can be detected by a large number of invalid password attempts on a small quantity of users, along with the associated account lockouts.
  • Password spraying attacks reverse this scenario. In this case, an attacker will take a large number of user accounts, and test one password at a time. In an enterprise situation, the attacker may have or guess hundreds of user names, and attempt one password in sequence…by the time the attacker returns to account #1 to attempt another password, the lockout threshold has reset and the attack goes undetected.

Where do the user accounts and passwords come from? Attackers have a variety of information at their disposal, as records are released from various data breaches. Searching breach records for passwords with a common theme allows attackers to leverage variants – the ever popular Spring2019! would be an easy attempt, if Winter2018! was a password frequently associated with an organization.

According to Proofpoint, an analysis of over 100,000 unauthorized login attempts across monitored cloud user-accounts found that:

  • 72% of tenants were targeted at least once by threat actors
  • 40% of tenants had at least one compromised account in their environment
  • Over 2% of active user-accounts were targeted by malicious actors
  • 15 out of every 10,000 active user-accounts were successfully breached by attackers

The attacker’s primary target of an account compromised by way of IMAP is to leverage various phishing attempts. An externally exposed IMAP service will allow attackers to send emails that bypass the “EXTERNAL” flag, and other controls that may have been employed by your organization. In addition, the attacker will attempt to compromise any externally facing services or accounts that do not support MFA – particularly any services that employ SSO (single-sign on) for user convenience.

The Proofpoint report also stated that:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks
  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result
  • Threat actors achieved a 44% success rate breaching an account at a targeted organization.

Mitigation

So, what can you do to defend against this type of attack? If your organization does not require IMAP to be employed and/or externally exposed, disable this legacy protocol. Again, for the folks in the back:

If you do not need to have IMAP available, disable it. If you believe that IMAP is required, vet this requirement, and research alternatives. 

If you have an application that requires IMAP as a legacy protocol to function, evaluate that application’s business use. Research alternatives to the application, including replacement and any available upgrade paths. Apply mitigating controls like access control lists (ACLs) to allow only specific users/IPs/services to leverage the IMAP exposure.

**Addendum 3-29-2019. Further research in this space indicates that one common exposure is ticketing systems that are used to automatically open tickets based on certain criteria…the systems that do not support PAM authentication, or where it is not enabled, have significantly increased risk. If you have IMAP in use in one of these situations, restrict it by way of an ACL to allow only those systems to access the protocol. 

Above all, be aware of your exposure. Have penetration testing done on a regular basis, to discover obsolete or forgotten exposures to your organization.

And remember…is it really paranoia if they ARE out to get you?

Questions? Comments? What recovery actions would you add? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

 

 

 

This entry was posted in General InfoSec by Lisa Wallace. Bookmark the permalink.

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.