Multifactor authentication (MFA) can be a mighty bulwark against unauthorized access, but there’s at least one method bad actors have employed to do a two-step around the defense: sneaking illegitimate two-factor devices into a Microsoft network. Here’s an example of how such a clever but dangerous intrusion happens: An email that appears to have been sent from a business on its legitimate account states that the company’s banking information is being updated for automated clearing house (ACH payments). Something about it seems fishy, so a review is conducted, which confirms that the email was indeed being sent out from an internal email account.
The trouble is, the authorized user claims to have sent no such email. Upon investigation, it is determined that an additional authentication device was added to the account in addition to the normal user’s Android application, leading to the compromise. How could this have happened? More importantly, how could an alert be created to ensure it never happens again and the company is better protected in the future?
Multifactor authentication is not the problem
Multifactor authentication is not the issue here — it remains a key method for keeping networks more secure. It ensures that only those users get authenticated on the network that you want authenticated. But like anything in technology, because we are moving more and more to two-factor authentication, attackers are finding ways to get around our defenses.
In the example above, attackers have realized that one way around MFA is (after they’ve gained base-level access to the network) to sneak an additional device into an account that can be used for two-factor. They then exploit the option that the main authentication application is not available and employ an alternative method to provide authentication, choosing the cellphone or device that has been surreptitiously added.
The bottom line is, no matter what authentication you have set up for your organization, to ensure that you are monitoring who and what is using it. It’s imperative to review who is logging in and what devices they are using to gain access to your firm.
The attackers are getting smarter and know that more and more organizations are deploying these solutions. If they target your organization and realize that you have two-factor or better as protective measures, they will evaluate their options and act accordingly. Make it harder for them to make you a target and monitor your protections.
