- Justin Jackson
A TRICKY GAP IN YOUR MFA STRATEGY
Updated: May 3
Microsoft cites one of the most compelling stats in cybersecurity: Multi-Factor Authentication (MFA) can block over 99.9% of account compromise attacks. So – if your company is enforcing MFA, you are good, right?
The answer: Well, it depends.
Under the Hood: Convenience vs. Security
In addition to not properly enforcing MFA, one of the most common issues we encounter during M365/Google Workspace security audits is not disabling legacy protocols (POP, SMTP, MAPI, etc.). Legacy protocols are processes that use basic authentication to connect to email clients, calendars, and web services. Said differently – basic authentication only requires a username and password, and those credentials are also often stored or saved on the device.
Why should you care if your organization enforces MFA? Because legacy protocols can be exploited to nullify all that effort to get your company MFA compliant.
Traditionally, neither Microsoft nor Google disables the use of legacy protocols by default. The reason is legacy protocols are used by a variety of applications to improve ease of access and use. Therefore – even if you are using Microsoft Authenticator, Duo, or Okta – it won’t matter to the adversary, who will simply ride these legacy protocols right past your MFA controls.
The Attack Path
One of your employees in Finance – let’s call him Bob – sends a handful of invoices to customers each week.
Unfortunately, Bob has a habit of reusing passwords and used his company email to sign up for a commercial service that was recently breached (e.g., Uber, Doordash). An adversary finds Bob’s exposed creds on the Dark Web and decides to attack your business as a target of opportunity.
Although your company has 100% MFA compliance, no one changed the legacy protocol security settings in your Microsoft tenant. So even though Bob is enrolled and actively uses MFA, the attacker simply uses an older email client that doesn’t support modern authentication (e.g., Outlook 2010, Apple Mail). This allows the attacker to breach Bob’s account using only the exposed username and password. From here, the adversary is perfectly situated to execute other attacks while masquerading as Bob within the Microsoft tenant (e.g., Invoice Fraud).
Within a few weeks, clients are calling about the products they purchased but have not received. After a brief investigation, you discover that these invoices were fake and routed to a bank that is not affiliated with your business. The point of entry was Bob’s email.
Note: This is one attack path, but there are a variety of others. Even if Bob doesn’t reuse passwords and his creds were not exposed on the dark web, we often encounter easily guessable passwords like “Spring2023!” during our engagements. The point here is that allowing basic authentication in your tenants is a significant vulnerability that should be mitigated.
What to Do
Conduct an M365/Google Workspace security audit to ensure that out-of-the-box security settings available in Microsoft and Google are optimized to improve your company’s security. That way, you can know for sure if there are gaps in your MFA strategy and take active steps in mitigating this threat.
That being said, Microsoft and Google are taking a proactive approach to automatically disabling many of these protocols. Legacy authentication, for instance, has been blocked by default as part of Azure Active Directory security defaults for all new tenants since October 2019. Microsoft also announced that beginning in October 2022, basic authentication will be automatically disabled in all tenants, regardless of usage (except for SMTP auth).
Microsoft also updated its guidance and warned that it will permanently turn off Exchange Online basic authentication starting in early January 2023 to improve security further. The outdated Exchange Online basic auth login method will be deprecated for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell (RPS), Exchange Web Services (EWS), Offline Address Book (OAB), Autodiscover, and Outlook (for Windows and Mac). And the SMTP AUTH protocol used for client email submissions will also be disabled in all tenants where it's not being used.
As of May 2022, Google no longer supports third-party apps or devices that ask you to sign into your Google Account using only your username and password. With that in mind, that deadline does not apply to Google Workspace or Google Cloud Identity customers. Google notes that the enforcement date for these customers will be announced on the Workspace blog at a later date.
In the meantime, Google Workspace users should consider turning "Less secure app access" setting off in favor of more secure apps. While Google has stated they have automatically turned off this feature for Workspace users that do not use it, it is worth double-checking given the “less secure option” opens your company up to the same previously mentioned vulnerabilities.
Regardless of these efforts, the basic authentication feature is still widely available, including through mail applications like Apple Mail. Having an idea of what applications and users within your tenant are using legacy protocols is important to mitigate this attack vector. Strong consideration should be given to blocking the use of applications that still use basic authentication as they present the same MFA bypass vulnerability discussed above.
Company policies should also mandate the use of mobile email applications native to the platform (e.g., Outlook and Gmail mobile) instead of non-native apps like Apple Mail in order to enforce the use of modern authentication and eliminate this common attack vector leveraged by cyber adversaries.
Another option is to consider executing a cloud email security audit. This is a great way to address your environment's most common security misconfigurations. Our approach to these follows a 12-point inspection approach of critical security controls to audit your tenant environment and optimize its configuration according to best practices. Depending on the organization's environment, these audits can typically be completed over three to four workdays and may be followed by an additional remediation period. The time to remediate depends mainly on the organization's security resources and may also be influenced by its readiness to adopt some of the recommended changes.
In either case, MFA is one of the most effective security controls that seem to be all too often overlooked in its use and implementation. It remains, however, a foundational building block and one of the most effective means to mitigate risk across the enterprise.