Last night, one of our organizational user accounts was compromised, and it was being used to send phishing links to a lot of different emails. Interestingly, this account had 2FA enabled, and the attacker was able to authenticate using the Microsoft Authenticator app. I'm trying to figure out how this happened. Any insights?
5 Answers
It sounds like token theft might have happened here. The attacker could have set up a fake sign-in page to steal the token from the user. It's a common tactic and can catch even the careful ones off guard.
Absolutely. I know of a client who had a high-level manager fall for this scheme.
Most likely, the account was compromised using a Man-in-the-Middle (MitM) attack with tools like Evilginx. This is becoming the standard method for breaching accounts with MFA. To safeguard against this, look into conditional access policies that require device compliance or phishing-resistant MFA solutions.
Consider setting up conditional access policies and maybe even a SIEM tool to monitor your Microsoft 365 environment. Blumira offers a free M365 SIEM tool that could help catch unauthorized changes or actions taken by the attacker.
It's clear that while 2FA can block 99% of threats, there are still ways attackers can bypass it. Look into digital forensics consultation to get to the bottom of this issue. Also, consider beginning to deploy passkeys; they're proving effective against phishing attacks.
Just keep in mind that passkeys aren't immune to token theft either.
There's a really high chance that your user got phished and unknowingly provided their MFA code to the bad actor. While it's possible there are advanced exploits involved, this scenario usually points to a phishing incident. If you use Intune, consider implementing conditional access policies to tighten security, or Entra P2 licenses for additional protection.
But what if the user never had the authenticator app set up before? Could it still be possible?