Hackers are using this sneaky exploit to bypass Microsoft's multi-factor authentication

Attackers guessed the password of a dormant account and were able to apply their own MFA to it - providing access to the victim's network.
Written by Danny Palmer, Senior Writer
Image: Getty/Motortion

Cyber criminals are exploiting dormant Microsoft accounts to bypass multi-factor authentication (MFA) and gain access to cloud services and networks, researchers have warned.

The technique has been detailed by cybersecurity researchers at Mandiant, who says the exploit is being used in hacking campaigns by APT29 – also known as Cozy Bear – a hacking and espionage operation widely believed to be linked to Russia's Foreign Intelligence Service (SVR). Other offensive cyber-threat groups are thought to be using the same tactics.

Multi-factor authentication is a useful tool for organisations looking to prevent account takeovers and cyberattacks against cloud services and other parts of the network. However, while it's extremely effective at defending against intrusions, it's not infallible and cyber attackers are finding ways around it. 

According to Mandiant, cyber criminals are exploiting the self-enrollment process for applying MFA to Microsoft Azure Active Directory and other platforms to take control of Microsoft 365 and other accounts. 

SEE: Hackers are finding ways around multi-factor authentication. Here's what to watch for

When organisations first roll out MFA to users, many platforms allow users to enrol their MFA device – usually their smartphone – the next time they log in. This process is often followed because it's the most efficient way to provide as many users as possible with MFA to help secure their accounts. 

But as researchers point out, if there's no additional verification around the MFA enrollment process, anyone who knows the username and password of an account can apply multi-factor authentication to it, so long as they are the first person to do so – and hackers are using this to gain access to accounts. 

In one instance detailed by Mandiant, attackers attributed to APT29 gained access to a list of undisclosed mailboxes they obtained through unknown means and successfully managed to guess the password of an account that had been set up, but never used. 

The attacker prompted by Azure Active Directory to set up multi-factor authentication not only had control of the account, but was also able to tie MFA to a device they owned, exploiting MFA to provide them with access to the account rather than keeping them out. 


From here, the attackers were able to use the account to access the victim organisation's VPN infrastructure. The researchers don't disclose the victim or what the aim of this attack was – although APT29 is known to target US interests and those of NATO and partner countries. 

The incident shows that, even with MFA in place, it's possible for cyber criminals to bypass protection features to access and exploit dormant accounts – something that might go undetected for some time. 

To counter this, it's recommended that organisations ensure additional protections are put in place to verify that the user registering the account is legitimate.

"Organisations can restrict the registration of MFA devices to only trusted locations, such as the internal network, or trusted devices. Organizations can also choose to require MFA to enroll MFA," said Douglas Bienstock, incident response manager at Mandiant.  

"To avoid the chicken-and-egg situation this creates, help desk employees can issue Temporary Access Passes to employees when they first join or if they lose their MFA device. The pass can be used for a limited time to login, bypass MFA, and register a new MFA device," he added. 

Microsoft recently rolled out a feature that allows organisations to enforce controls around MFA device enrollment, which can help to prevent cyber criminals gaining access to accounts. ZDNET has contacted Microsoft for comment.

With dormant accounts the key targets of this particular campaign, it could also be useful for information security teams to be aware of which accounts have never been used, potentially even retiring them if they serve no useful purpose. 

It's also worth ensuring that these accounts aren't secured with default passwords, which can easily be beached by cyber attackers. 


Editorial standards