Dear ISPA members,
One of the members of ISPA’s Security WG recently highlighted the following security concern. Since this is likely to impact many ISPA members we are sharing it, with permission. Thanks to Vox’s Jaco Prinsloo for reporting this.
Short version: Two of the methods Microsoft uses to authenticate Office 365 users are extremely vulnerable to social engineering exploitation.
Longer version:
For Office 365 multi-factor authentication (MFA), there are four methods available:
- OTP via SMS sent to user's mobile phone
- Phone call from Microsoft requiring user to press the # key
- Microsoft authenticator app - Using the verification code
- Microsoft authenticator app - Push message to mobile phone - User required to select "Accept" on their phone
Recent phishing attacks take advantage of two of these methods after a user’s credentials have been phished. The attackers login to the Microsoft portal with the stolen credentials and then either:
- The valid user receives the Microsoft call and is prompted to press '#' to allow login. The user obliges without giving much consideration as to whether it is actually one of their apps requiring authentication.
- The valid user receives a push notification on their phone to accept a new login. The user accepts the login without giving much thought to it. This is especially true for users that have multiple devices running MS apps.
Both of the above two verification methods are dangerous as users do not need to input an OTP or verification code on their browser or MS application and the user's response quickly becomes habitual or automatic. The MFA can be performed when not even being in the same vicinity as the device where the authentication is required.
OTP via SMS is more secure than the push notification or phone call, but SMS is an unencrypted protocol, thus the OTP can be viewed in clear text and the verification method is still susceptible to man-in-the-middle or insider attacks.
The most secure method for MFA currently is the use of the authenticator app verification code method and this should be enforced as far as possible by IT teams. This however requires a smartphone, so every employee without a smartphone will have to use the SMS OTP method unfortunately.
Microsoft is working on updates to Azure/Office 365 platforms to allow system admins to force all logins to require credentials first and then the verification code or the notification acceptance, which should force the user to be more involved and thus aware during the authentication processes. Once this becomes available, IT teams should consider implementing it for all staff members.
If you have any questions about this message please contact the secretariat@ispa.org.za team, or consider joining ISPA’s Security working group.
Sunday, August 7, 2022
