back to article Crooks target top execs on Office 365 with MFA-bypass scheme

A business email compromise scheme targeting CEOs and CFOs using Microsoft Office 365 combines phishing with a man-in-the-middle attack to defeat multi-factor authentication. These attacks take advantage of a Microsoft 365 design oversight that allows miscreants to compromise accounts with MFA enabled and achieve persistence …

  1. NoneSuch Silver badge

    Or we can just lock the door after the horse has bolted.

  2. Throatwarbler Mangrove Silver badge


    Ironically, I got the notification that I needed to change my Plex password because of their leak. Even Plex required me to enter my 2FA code to change my password, however, so the notion that you would not need to enter a current 2FA code to change your authentication mode is mind-boggling.

    1. Dan 55 Silver badge

      Re: Unbelievable

      I guess they thought it would cover the "lost or stolen" use case... but you can't distinguish between authenticator apps in the 2FA management screen either, so if one device goes walkabout how are you supposed to remove it?

      You have to delete them all and set them up again on your remaining devices.

      Double facepalm for Microsoft.

      1. Ali Dodd

        Re: Unbelievable

        Not defending MS and their system does have some serious issues to look into but:

        Both the primary method of managing your account on 365 and Azure AD do list the device name (internal model on android and name you gave it on IOS) against the authenticator.

        If you want to get into the security methods to change your authenticator you do need to authenticate again...

        This is on a standard tenancy with no special configuration - just checked.

        it would be useful for MS to give more info about the authenticator like location last used but that would get into issues with privacy. They should ask you for a unique name when you set it up.

        1. Dan 55 Silver badge

          Re: Unbelievable

          Maybe there's a admin screen with more info, but on which is what I see, when I have three alternative authenticator apps registered (i.e. non-MS authenticator apps), I just see three lines with "Authenticator app" and no way to distinguish between them or get any more info.

          Yes, it would be easy to fix by allowing the user type in a string when registering a new non-MS authenticator app which appears in the list, but it's probably right at the bottom of MS' to do list as it makes life easier for you to use non-MS software.

        2. razorfishsl

          Re: Unbelievable

          DO NOT use the MS authenticator

          it is a dog collar GPS up your ass.

          it reports geo-location of any one using it , back to MS every 5 minutes....

          They are building a massive tracking system of personal information... just like Apple & google.

  3. Anonymous Coward
    Anonymous Coward

    Location anyone?

    Okta shows me where an MFA request originated right on the approval screen. I take it MS Authenticator can't do that? In this case it would show the request coming from Singapore, so I would hope a user might be a little bit suspicious (though probably not - most are so tired of auth prompts they just kneejerk approve everything that comes along).

    1. James O'Shea

      Re: Location anyone?

      Apple's MFA checks locations. However, the geolocation system has... problems. On several occasions I've attempted to log in, got the MFA screen and have been told that the attempted login in in Atlanta, Georgia, or Dallas, Texas. No, I'm neither in Georgia or Texas. However, I do use AT&T for cell connections, and I was away from base, and AT&T has major operations in Atlanta and Dallas. As I knew damn well that it was me, having just clicked the link myself, I went ahead. If I had seen Hong Kong or Moscow I probably would not have.

      In any case, if I don't like where the geotag says the query is coming from, restarting the device usually gets me a new IP which is usually somewhat more accurate. It's annoying, but paranoid, to have to restart, but there it is.

      Why MS can't put up a location screen is, well, one of the questions I asked a certain organization who insists on using MS Authenticator. If they ever reply, not that I'm holding my breath while waiting, I'll get back to this question. I suggest that others not hold their breath either. An attempt to contact MS on this required considerable jumping through hoops (have you tried to talk to an actual human at MS recently?) and total incomprehension. The 'tech support' guy literally could not understand why I might want to know location infor for a MFA query.

      Others may attempt to contact those who force MS Auth, and MS itself. Good luck. You'll need it.

  4. razorfishsl

    They did not "discover" anything..... Been dealing with this since jan 2022 with multiple MS reports.... took them until June to admit they could duplicate it.

    There is another interesting caveat to all this...... where even resetting the users PW will not return the account to normal & remove this setup. (even account shows no other authentication systems)

    Had some MASSIVE arguments with both MS engineer staff and our so called support provider.

    MS was at one stage INSISTING we give control to our service provider to come in as super admin above our organization so that they could insert other users to

    manage our instance.

    When that failed the blocked our ability to place support requests, other than via the service provider , and THEN they refused to act upon their service requests unless they were filed from OUR MS instance, basically they wanted any excuse to NOT deal with what we found.

    Then when we pointed out that it was possible to log into other instances that were NOT allocated to our Admin PW or even domain name!!!, they almost shit the bed shouting its not possible.... actually yes it is.

    needs certain conditions to exploit it, but doable.

    Esp. when we refused to tell them how.. in view of them treating our business with such disrespect, why should we...

    so for over 8 months not only do they have this shitfest.....but also a way to exploit admin login into other instances.

    Their whole front end for security is a JOKE.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like