MFA Relay attacks – In today’s digital age, cyber security threats have become a pervasive issue for businesses across the globe. With more and more enterprises moving towards a digital environment, the need for stronger security measures has become even more critical. One such security measure that has gained immense popularity in recent times is Multi-Factor Authentication (MFA).
MFA is a highly effective security measure. It requires users to provide more than one form of identification to gain access to a resource. However, cyber attackers have now found ways to circumvent this security measure. They use a new technique called the MFA relay attack or the Evilginx attack.
In this article, we will explore the risks associated with the MFA relay attack in an enterprise environment . We will also analyze the impact it can have on an organisation’s security posture.
Risk of account compromise
In today’s modern enterprise environment, the use of Office 365 accounts for user identification is widespread. These accounts are linked to the Active Directory. They enable companies to efficiently manage user rights, policies and other settings for all users. These same accounts are used to access various Microsoft resources such as Outlook, OneDrive and SharePoint. They are also used to access third-party services or in-house applications through Microsoft’s Single Sign-On (SSO) feature.
This approach can be very practical for both the administrators, who can configure settings in one central place. They can get sync across the entire organisation. This is the same for users. They only need to remember credentials for a single account to access all of the company’s resources.
However, this creates a significant security challenge as a compromised account could expose a lot of sensitive company information. Safeguarding user accounts becomes crucial in order to prevent unauthorized access and data breaches.
MFA Security
In this context, Multi-Factor Authentication (MFA) becomes a critical security measure to help protect user accounts. This authentication method requires the user to provide at least two different factors of authentication to gain access to online resources. The most commonly used factors include the user’s password . It also includes the acceptance of a notification or the entry of a one-time password received from an app or via SMS.
This additional layer of security provided by MFA is especially performant against traditional phishing attacks. In scenarios where an attacker tricks a victim into accessing a fake login page and steals their username and password, the attacker would not be able to use these credentials without the second factor of authentication.
This makes MFA a robust defense mechanism against unauthorized access. It adds an extra layer of protection even if the initial attack is successful.
Evilginx Phishing Attack
Phishing attacks have evolved to bypass the security measures of Multi-Factor Authentication (MFA) and gain unauthorized access to user accounts. Attackers no longer rely on setting up fake login pages to trick the victims. Gathering the users’ credentials alone will not be enough to compromise an account.
Instead, they are now using a new technique called “MFA relay attack” or “Evilginx attack” (based on the most known tool to implement it).
In the new process, the phishing application acts as a proxy. It intercepts and forwards all victim’s traffic, including the MFA request and response, to the original login page. This technique is similar to a Man-in-the-Middle attack. The attacker positions themselves between the victim and the legitimate login application, allowing them to intercept and monitor all traffic.
This time, the victim’s credentials are not only being gathered. They are also relayed in real-time to the original login application, which then initiates the MFA process if needed. Once the MFA is completed and the login is sucessful, the phishing tool will extract the authentication tokens (e.g. cookies) directly from the original response. The hacker can then manually input these cookies in his browser and get full access to the victim’s office account.
Demo
Risks
In the case of the SSO such as Microsoft login, the risks associated with a successful attack are more extensive than initially anticipated. With access to the victim’s office account, the attacker can perform malicious actions, including:
Accessing all emails and contacts and sending emails on behalf of the victim.
Accessing all SharePoint documents, potentially exposing sensitive company information.
Access to Teams, including the entire chat history, which could compromise communication and collaboration within the organisation.
This is already troubling but depending on the exact context and the potential privileged information the attacker has been able to gather with the credentials, other attacks might be possible.
Indeed, the compromised account can also be used to:
-Interact with other web applications that implement Microsoft SSO, such as Atlassian, planning apps, timesheet apps, and more, potentially gaining unauthorized access to additional resources.
-Gain VPN access to the internal network, allowing the attacker to infiltrate the organisation’s infrastructure.
-Log in on a domain machine, either physically or via Remote Desktop Protocol (RDP)
-Giving the attacker further access to the victim’s workstation and potentially other systems within the network.
-Interact with a Domain Controller , which could result in unauthorized changes to network settings and permissions, causing widespread damage to the organisation’s IT environment.
How to protect against this type of attack
The MFA relay attack poses a severe threat to enterprise security. However, there are ways to mitigate the risk associated with this type of attack.
One crucial measure is to focus on phishing awareness campaigns to educate employees and help them identify and avoid falling victim to phishing attacks. This can greatly reduce the risk of compromise through standard phishing techniques used in MFA relay attacks.
For organisations using Microsoft as their Identity Provider (IDP) in a Microsoft 365 environment, subscribing to features such as Azure Conditional Access and configuring them properly can provide an additional layer of security.
Still within the Microsoft realm, enrolling authorized devices into Intune and allowing only authorized devices to connect to the identity provider can further enhance security.
In supported scenarios, users can authenticate using Universal Second Factor (U2F) and hardware tokens such as Yubikey. These hardware tokens cryptographically link to the original identity provider, making it difficult for threat actors to spoof their identity.
It is important to note that Windows defender ATP and other EDR solutions can provide some protection against MFA relay attacks by detecting rogue IDPs based on threat intelligence, they may not provide complete protection, especially in targeted attacks where the IP of the Evilginx server may not be blacklisted, and the attack may still succeed.
Conclusion
In conclusion, the MFA relay attack is an evolving threat that poses a severe risk to enterprise security.
As cyber attackers become more sophisticated, it is essential for businesses to implement robust security measures to protect against these threats.
MFA is an effective security measure, but it is not fool proof. Enterprises need to supplement MFA with additional security measures, such as conditional access policies and advanced security solutions, to ensure that their critical resources are protected against MFA relay attacks and other emerging threats.
By taking a proactive approach to cyber security, organisations can reduce the risk of compromise and protect their business from cyber threats.
