We've had a troubling situation where multiple accounts in our company have been compromised, even though we have Multi-Factor Authentication (MFA) set up. Somehow, attackers are still able to send out emails from these accounts. I've checked the user sign-in logs in Office 365, which indicate that the MFA requirement was met, but the logins are originating from New York or Florida, while our office is based in Texas. I'm concerned about how this could be happening and what steps we can take to prevent it.
10 Answers
User training and implementing Conditional Access policies are vital. MFA doesn't necessarily protect users from phishing attacks, so education on recognizing these threats is also crucial.
If users' accounts are being compromised while MFA is enabled, don’t assume it’s session hijacking right away. Check for potential spoofing issues or if emails are being sent from lookalike domains, as that could be a simpler explanation.
Be mindful of what type of MFA you're using. If it's just SMS codes or app notifications, these can be easy to bypass through phishing. Opt for more secure methods like PassKeys or FIDO2, and also only allow sign-ins from known, registered devices.
Before jumping to conclusions, check the mail headers to rule out spoofing. Make sure to inspect any logs for the accounts to verify whether the emails were sent from an authenticated client or if a compromised device is involved. MFA can sometimes fail against internal threats if equipment has already been compromised.
A common tactic involves AiTM phishing, where users unknowingly approve logins through malicious infrastructure that mimics legitimate M365 pages. Once they approve, attackers can hijack the session and assume control. To combat this, consider adopting phishing-resistant MFA options like FIDO2 keys, which can be more secure against these types of attacks.
I’d suggest looking into a threat hunting platform like Huntress. While it’s not a catch-all solution, it can provide additional monitoring and response capabilities to identify issues faster.
Huntress is decent, but remember that it's only as effective as the logs it analyzes. You’ll still need robust security measures in place to stop these attacks before they happen.
Consider verifying the types of MFA in use. It's surprisingly easy to trick someone into giving their SMS verification code, especially if phishing tactics are used.
First, you should confirm that the emails actually came from the accounts in question. Run an outbound message trace for each account to see the details of the sent emails. Spoofing can still occur, and if your email protections like SPF fail, it can lead to these problems. Some people set rules to automatically drop any emails that fail SPF or have weak DMARC policies, which might help you.
I completely agree! We’re seeing a lot of spoofed emails because of weak configurations. It’s essential to ensure that your email authentication strategies are robust, or you might end up dealing with frequent spoofing issues.
It's possible that the attackers are using session hijacking tactics. Have you considered implementing conditional access solutions? This can greatly enhance your security posture by restricting access based on certain conditions.
You might want to onboard your devices to Intune to enforce compliance policies. This way you can enable conditional access policies that restrict sign-ins to only those compliant devices, adding another layer of security.
Absolutely! Just make sure to review the OAuth2 approved applications frequently. I've seen cases where attackers exploit these apps to send emails even after changing passwords.