Multi-Factor Authentication (MFA) has become a cornerstone of modern cybersecurity, touted as an essential defence against account security. However, MFA is not an impenetrable shield and may leave businesses feeling a false sense of security.

At razorblue, we’ve been closely monitoring these growing trends and helping organizations strengthen their defences against MFA bypass techniques. Here, we explore how MFA can be defeated how to stay ahead of the curve.

Token Theft: What it is and how it works

Firstly, it’s important to understand how pretty much every website, portal or SaaS application works. Once you have successfully logged in, the website returns a ‘session token’, often known as a ‘cookie’ which sits silently in your web browser. The browser sends this token with every click you make, and this keeps you logged in to the website. Attackers carry out token theft by positioning themselves between the victim and the legitimate login page, such as Office 365, using what’s known as a man-in-the-middle (MITM) attack.

The process begins with the attacker setting up a phishing scheme to lure the victim into visiting a fake Office 365 login page, often delivered through a convincing phishing email or link. This page mimics the legitimate Microsoft page, including MFA prompts, to deceive the user. When the victim enters their credentials and MFA code, rather than storing the information, the attacker forwards it straight to Office 365, completing the authentication process.

Once Office 365 validates the credentials and MFA, it issues the ‘session token’, which the attacker intercepts and uses to access Office 365 resources. The victim, unaware of the compromise, continues working as normal. With the stolen token, the attacker doesn’t need to log in again – they have instant access to access to services like Outlook, Teams, OneDrive, and SharePoint, all without having to log in again.

Device Code Authentication: Another Growing Weakness

IoT devices, smart TVs, printers, and other non-traditional endpoints are becoming common in corporate networks. These devices often lack traditional input methods like keyboards, requiring alternative authentication methods, such as device code authentication.

While this approach simplifies access, it opens a door for attackers. Attackers initiate the device code authentication flow on their own device to generate a code.

They then send this code to a victim via phishing emails, fake IT support messages, or even Microsoft Teams chats, urging them to input the code into a legitimate Microsoft login page.

When the victim complies, they have unknowingly just granted the user access to services like Outlook, Teams, OneDrive, and SharePoint, all without having to log in again.

Business Impact

When attackers bypass MFA, the consequences can be far-reaching and severe. They may steal sensitive data, including critical files, intellectual property, and financial records, resulting in significant losses for the organisation.

With access to a compromised account, attackers can move laterally through the network, targeting other systems and escalating their privileges, further deepening their control.

Once inside, they often establish persistence, planting backdoors or leveraging compromised credentials to maintain long-term access, making it harder to detect and eliminate their presence. Beyond the immediate technical impact, public breaches can erode customer trust, damage the organisation’s reputation, and result in costly compliance penalties.

Defending Against MFA Bypass Exploits

Defending against MFA bypass attacks requires a multi-layered approach. Organizations should restrict access to Microsoft cloud services using Conditional Access policies where rules can be put in place to help prevent these types of attack – for example, by only allowing users to log in from a corporate managed device. Employee awareness is equally vital regular cyber security training empowers staff to identify and avoid phishing attempts. Finally, all organisations should consider having a comprehensive 24/7 managed security service like our Detect MDR service, which monitors for suspicious security events.

How razorblue Can Help

At razorblue, we offer a comprehensive range of services to help businesses strengthen their defences and stay ahead in today’s ever-changing cyber threat landscape. Let razorblue be your trusted partner in cybersecurity. Contact us today to discover how we can safeguard your organisation from evolving threats.

Richard Bullock
Head of Cybersecurity, razorblue