Hackers have figured out how to attack Office 365 and Google G-Suite accounts protected by Multi Factor Authentication (MFA).
No, this is not a bug in some software and no it is not hyper-sophisticated attack.
In fact, it is very old school.
First, as best I understand, it is a limited attack so it is not a full compromise.
It is a perfect example of security vs. convenience.
OK, I will end the suspense.
Both Microsoft and Google support IMap for email. IMap doesn’t support multi-factor authentication.
The bad guys use password spray attacks against millions of accounts from a large number of compromised machines.
If they get in, they use that compromised email account as a landing spot to launch attacks against other users in the same organization since they are now (pretending to be) a trusted insider.
If the company has enabled geo-fencing then the attackers might be able to use a proxy or VPN to get inside the fence, but that is more time and more work.
So does that mean that MFA is useless?
Actually not at all.
First of all, if you can, disable all legacy insecure protocols (protocols that do not support MFA), do so.
Next, if you can, enable geo-fencing. This will make things harder for the bad guys.
For systems that support it, enable improbable login. This will detect logins that don’t make sense, even if they are inside the geo-fence.
Enable maximum logging and alerting. Again we are trying to make it hard for the bad guys so they will go somewhere else.
While none of this is perfect, not having MFA enabled definitely makes life easier for the hacker. Make it harder and unless you are a specific target, the hacker will move on.
Source: Proofpoint .