"I thought we used MFA...
How did they get round that?"
- Anon
Being in business is about taking risks.
Launching a new service - is a risk.
Going into new markets - is a risk.
In business, we accept risks.
What's essential is that we know the risks we are taking...
And which risks we are accepting.
Our blind spots are the risks we accept tacitly - because we don't know any different.
One of those blindspots is likely how hackers are currently bypassing multi-factor authentication (MFA).
The idea behind MFA was to prevent weak or stolen passwords from being used by hackers to break into accounts. However, there was a known weakness when the current generation - using SMS, authenticator apps, etc. - was created.
Suppose a hacker or adversary is positioned to relay all messages between two parties - like a game of Chinese Whispers or telephone. The adversary can capture, steal or manipulate any message they see... including the MFA logins.
Then the adversary can re-use these logins as "proof of authenticity" to effectively steal the identity of one or both parties in the chain.
This is the idea of Adversary-In-The-Middle (AiTM) - a well-known problem first published in 1976.
In March 2023, Microsoft published a blog about a group (tracked as Storm-1101) marketing and selling a framework that simplifies AiTM attacks for cybercriminals - to bypass MFA authentication.
In the same way, businesses adapt their service and features to meet market needs, Storm-1101 offer a range of features to make criminals' lives easier. Including:
These features have proven so popular that Storm-1101 raised the framework's price from $100 monthly in June 2022 to $300 in December. And Microsoft notes that "millions of phishing emails per day" have been sent using this toolkit.
While there's no word on how many accounts have been ultimately compromised, we can safely assume it is a significant number.
We have a short window to mitigate this risk before it becomes a critical problem.
This AiTM framework is a stand-alone service that hasn't yet become part of the entry-level, highly industrialised phishing services offered to the most inexperienced cybercriminal. But it is only a matter of time before that happens.
Unfortunately, the mitigations are relatively limited.
Firstly, as a pre-emptive lowest-cost defence, enable Conditional Access in your M365 tenants with appropriate rules. These rules should ensure the device used to log in is known - as well as the person and MFA code.
Secondly, monitor phishing attempts and anomalous logins from unknown devices. This will eventually be a straightforward task, but cybersecurity teams must be alert for the next few years.