Intro
There’s been a rising threat concerning compromised SaaS identities due to phishing, even with multi-factor authentication (MFA) in place. Has MFA proven ineffective? Not exactly, but we are witnessing a surge in a type of known attack that’s becoming more prevalent that has always been effective against MFA. The attack in question is AitM (Adversary-in-the-middle).
This blog post will explore this old but emerging threat, enabling threat actors to bypass MFA. Furthermore, we’ll offer guidelines for detection.
How are threat actors bypassing MFA?
Similar to any successful phishing attack, the threat actor initially deceives the victim into visiting a website controlled by them (1)(2). The unsuspecting victim would then unknowingly provide their credentials to the threat actor’s website through a form or a login page (3). If MFA has not been enabled for the account, the threat actor could simply reuse the credentials (4)(6) to gain access to the victim’s account.
If MFA is enabled for the account, the threat actor must ensure that the victim completes the authentication process with the correct MFA provided (6)(7). This can be achieved by ensuring that the actual server is able to authenticate the legitimacy of the MFA provided. In this scenario, the stolen credential alone will not be particularly useful for the threat actor. Instead, they will rely on the stolen OAuth2 tokens or session cookies (8) to access the actual service.
The threat actor could easily insert the stolen session cookie into their browser to access the actual web service (9).
However, session cookies have a limited usage period, and the threat actor needs to complete their intended operations with the account as quickly as possible. At this stage, the threat actor could either download all the files and emails before the session expires (11).
Alternatively, the threat actor could attempt to maintain access to the account over a longer period. This can be achieved by registering a new MFA device (10).
Mapping the MFA-bypass attacks to MITRE ATT&CK framework
We can map the attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE.
Strategies to detect MFA-bypass attacks
There are several opportunities for detection. Let’s examine the attack sequence and outline potential detection strategies.
During Stage 9 of the attack, when the threat actor reuses the session cookie to access cloud resources, we can depend on the Azure AD log to detect the following anomalies:
- Identifying logins from unusual locations or instances of rapid location changes.
- Recognizing logins from VPN IP ranges.
- Noticing changes in browser agents.
- Attempt of user privilege escalation
Based on our testing, we have verified that we could access Microsoft 365 resources without encountering any authentication prompts by simply reusing a cookie session captured from our test environment. Additionally, we observed that a new ‘UserLoggedIn’ operation, including the threat actor’s IP address and browser agent, would be recorded in the audit trail accessible within the Audit Management Log. This ‘UserLoggedIn’ operation signifies that a new login event has taken place.
"ActorIpAddress": "XX.XX.XX.XX",
"ClientIP": "XX.XX.XX.XX",
"CreationTime": "2024-04-03T03:12:48",
"ExtendedProperties": [
{
"Name": "ResultStatusDetail",
"Value": "Success"
},
{
"Name": "UserAgent",
"Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0"
},
{
"Name": "RequestType",
"Value": "OAuth2:Authorize"
}
],
"Operation": "UserLoggedIn",
"UserId": "test_victim@insidersecurity.co",
During Stage 11, when the threat actor accesses an unusually high number of files, we can depend on the Audit Management Log to detect the following anomalies:
- Detection of a spike in file or email access.
Finally, if the threat actor establishes a new MFA device, we can rely on the Audit Management Log to identify the following anomaly:
- Addition of a new MFA device.
Summary of detection strategies
Below is a summary table outlining the threats demonstrated by the threat actor on the cloud and corresponding detection strategies.
Threats | Detection strategies | Stage in illustration |
Threat actor logins with stolen account | Login with an unusual browser agentLogin from one country to another within a short span of timeLogin from an unusual country | 9 |
Addition of new MFA device | Suspicious MFA device creation | 10 |
High amount of data downloaded | Suspicious amount of file downloaded | 11 |
Staying ahead of cyber threats
Innovative solutions by InsiderSecurity
Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security.
CSX is designed to detect sophisticated attacks described in this article making it an essential subscription for any organization serious about its cybersecurity posture. Beyond detecting threats, CSX offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.