According to a report by Mandiant, hackers found a way to bypass Microsoft's multi-factor authentication. Most organizations use Multi-factor authentication (MFA) because of the security features it comes with, in that users are required to provide a combination of two or more credentials that will help identify them before proceeding to log in (via ZDNet.)
However, this does not mean that it is completely secure as there have been reports of threat actors using push-based MFA to spam users with notifications till they fall into their exploits. Though Microsoft announced that they will be introducing MFA push notifications with number matching to mitigate this issue.
Through the self-enrollment process for MFA in Azure Active Directory and other platforms, hackers are able to access Microsoft 365 and other accounts. This is because most platforms allow users to enroll their first MFA device at the next login, thus acting as a loophole.
When an organization first enforces MFA, most platforms allow users to enroll their first MFA device at the next login. This is often the workflow chosen by organizations to roll out MFA. In Azure AD and other platform’s default configuration, there are no additional enforcements on the MFA enrollment process. In other words, anyone with knowledge of the username and password can access the account from any location and any device to enroll MFA, so long as they are the first person to do it.
Further in the report, Madiant highlights how APT29 also Cozy Bear through a list of mailboxes whose source is yet to be established conducted a password guessing attack. They managed to gain access to an account that was already setup but dormant. In turn, they were prompted by Azure AD to enroll in MFA. This granted the attackers full access to the account where they were able to establish the organization's VPN infrastructure that was using Azure AD for authentication and MFA.
To avoid such an occurrence, Mandiant has recommended that organizations should ensure that all active accounts should have more than one MFA device enrolled. They have also indicated that additional security layers should be incorporated into the MFA enrollment process.
For instance, the recently launched feature in Microsoft Azure AD allows organizations to enforce controls around specific actions such as MFA device enrollment. Furthermore, using conditional access, organizations can control the registration of MFA devices to areas they consider safe and lastly request for MFA before initiating the enrolment process.
We also recently saw sensitive Microsoft login credentials leak on GitHub though no data was obtained and the security measures have been put in place.