How did a hacker bypass our multi-factor?

Question

One of my clients is a new business that I setup less than two years ago with Microsoft 365 cloud email. From the original setup the security defaults were set and I left them on. The accounting user had MFA setup with her phone and the Microsoft Authenticator. She is a fairly astute user who does not appear to be click happy. I looked at her computer and I see no extraneous sketchy programs other than McAfee. I have scanned it with several malware tools and AV with zero hits on everything. Somehow they got her password and signed on. The sign-in logs in the Entra admin center show the hackers got in with single-factor authentication. It seems that legit users are also getting in with single factor regularly. The legacy per user MFA was never enabled for any user because the security defaults were in place form day 1. The user has no recollection of putting her password into a web page or getting phished in any manner that she can recall. She is one of the business owners, so there is no incentive to not be truthful with me. I am baffled at how the hackers got in with single-factor. Any ideas on this?

Answer 1

Hello Joe Aas,

Good day. Thanks for posting in the community.

I am sorry to hear that the hacker bypassed the multi-factor. There are three dominant forms of MFA bypass attacks commonly seen today: MFA fatigue, token theft, and Machine-in-the-Middle attacks.

MFA fatigue is one of the most common and high-profile ways to bypass MFA. It is seen as a form of social engineering, as it involves cybercriminals manipulating users into giving them access to their accounts unwittingly. The way MFA fatigue works is straightforward. MFA often requires end-users to make an action on a personal device to gain access to an account. For example, a pop-up may appear on a smartphone, or an email may be sent, which, when accepted, will then allow a user access. However, if a cybercriminal is able to compromise a username and password, this means they can request access to the legitimate user over and over again, sending pop-up after pop-up, until the user gives in and accepts.

Token theft is one of the most common forms of MFA bypass attacks. The way multi-factor authentication protocols work is that, once you’ve been introduced to an application, it may place a session cookie on your machine that allows you to continue. If an attacker picks up that session cookie and moves it to another machine, all of the rules that were in place to get that cookie are irrelevant, and you have a problem.  There are various types of cookies that can be stolen. So, attackers are looking at cookie theft as a way to bypass good security. So, endpoint protection actually becomes more important, because you’ve got to keep that malware off of your machine. Essentially, this attack involves cybercriminals scraping cookies, the session code used by web browsers to track users as they log-in to different web pages. Cookies are designed to reduce friction for users, meaning they don’t have to re-authenticate every time they access a different webpage in the same session. When these attacks are successful, this allows criminals to place these cookies into their own session, and thereby trick the browser into believing they are the authenticating user and bypassing MFA.

The third form of MFA bypass is Machine-in-the-Middle, or Adversary-in-the-Middle attacks. This is a form of phishing attack which is used to trick users into clicking a malicious link, giving cybercriminals access to machines while circumventing MFA controls. 

Firstly, an attacker will trick a user into clicking on a malicious URL, directing the user to a malicious proxy server. Using this server, the attacker will then be able to intercept network traffic between the user’s computer and the real web server. This will then allow the attack to capture data from the user’s web session, including credentials, and MFA session cookies, allowing the execution of a token theft attack. 

There are some ways for organizations to mitigate these attacks. First piece of advice is to ensure that your organization has MFA switched on.

• The first important step to avoiding MFA fatigue attacks it to set limits on the number of MFA push notifications that can be made before access is accepted into accounts, or to disallow the use of push notifications altogether as an authentication method. This is an important feature to look for in an enterprise MFA solution.
• Number matching is a security feature designed to prevent MFA bypass by ensuring that only a legitimate user requesting access is able to authenticate their identity. The way it works is straightforward: when a user needs to approve a sign-in attempt, they’ll be given a code on their browser, which they must then input onto their mobile device to allow the authentication.

  [![](https://learn-attachment.microsoft.com/api/attachments/496e8f21-bfcd-483a-a2dc-ccf507aa83bb?platform=QnA