back to article Two-factor auth totally locks down Office 365? You may want to check all your services...

Hackers can potentially obtain access to Microsoft Office 365 emails and calendars even if multi-factor-authentication is in place, we were warned this week. Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems that aren' …

  1. Grikath

    This all may seem obvious, but apparently people are being stung by it.

    The one thing not clear from the article, outside the thinly veiled sarcasm, is whether these were cases of IT not closing down legacy stuff after migration, case (a) because beancounters being beanies and refusing to fund such an obvious measure, or said Managers being ...well....managers... and clicking Linkies they shouldn't have.

    makes a difference...

  2. -tim
    Facepalm

    2FA?

    There are strict rules about proper 2 factor authentication that you must pick two out of the set of 1) Something you know, 2) something you have and 3) something are. Most compliance frameworks require the "pick any two" but not two of the same.

    Mathematically most of the "Something you have" turns out to be "something you know" and if that can be shared in any way such as restoring it to a new phone. All that you have done is doubled down on the "something you know" even if what is known is too much for more people to remember. One of the key bits of "something you have" is that it needs to be unique. Once you can duplicate a token system on a phone for example, that fits in as something known, not something held and should be treated as a hopefully strong password sorted in a password vault.

    A major issue with 2fa, is that all the old systems stuff needs to be tied in and most of the newer solutions just can't be made to work with older hardware which introduces major weaknesses in the total system. If the corporate phone systems is controlled by 4 digit pin or a core router can be asked to shift packets around where they aren't meant to go, the rest of the system might have already been compromised.

    1. Paul Crawford Silver badge

      Re: 2FA?

      Another big factor (if you pardon the pun) is the number of people using their phone for both the internet access part (i.e. user-name/password entry) AND for the 2nd factor (e.g. text message code) so once again the phone becomes a single point of failure in security terms.

      1. Jason Hindle

        Re: 2FA?

        Guilty as charged, though the phone in question is encrypted and protected with a six digit passcode. I’m no security expert, but I did wonder about that.... If someone gets my password and phone, they could simply put the SIM card into a different phone and activate my account on there. Google partly mitigates this by sending a warning to all devices, but I don’t yet have enough exposure to the Microsoft way of doing things (just use the Microsoft Authenticator app on the corporate Samsung).

        Incidentally, in the finance scams described in the article, there was a human factor that goes well beyond the basic software security. I expect our SVP and his finance counterpart would both scoff at the idea of transferring any significant amount of money without first flapping gums.

    2. Christian Berger

      Re: 2FA?

      Well if you allow "something you know" and "something you are", your standard username/password combination would perfectly, as your username is something you are, and the password is something you know.

      Same goes for biometry where you have a public element like your fingerprints (which you leave everywhere) or features like the look of your iris (which everyone can see) and combine that with something you know.

      On about the same level are cellular phones as "second factor". While hypothetically you could build a moderately secure one... if you wrote secure GSM/UMTS/LTE stacks for them, but no one has bothered to do that so far. Adding insult to injury there are now application processors which run highly complex OSes of their own and nudge you into running only code from manufacturer controlled malware ridden "Appstores".

      In any case, we are talking about a web service. Using actual 2FA (like with public keys stored on your computer or a smart card) is like putting a high security padlock on a paper bag.

  3. razorfishsl

    Tell you how fucking stupid MS is.....

    We obtained our licenses using a .net domain name for a .com domain.

    4 years later despite MULTIPLE attempts to stop them sending admin data to the .net domain, they STILL do it.

    We delete the admin@nxxx.net and a week later they put it back.

    1. Martin Summers Silver badge

      Great and this is relevant to the article how? This article doesn't even point out any fault with Microsoft either.

  4. Richard Jones 1
    Joke

    Where is all this 'lost' Money?

    With all this money being 'lost', why can I never find so much as a single cent?

    1. Rich 11

      Re: Where is all this 'lost' Money?

      Have you tried looking down the back of the settee?

      1. Paul Herber Silver badge

        Re: Where is all this 'lost' Money?

        SOFA - Security Of Financial Activities

  5. Anonymous Coward
    Anonymous Coward

    Didn't Office 365 have an "Activities" API up until recently?

    https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/

  6. Doctor Syntax Silver badge

    "the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted"

    This should also have needed pre-arranged 2FA, a written instruction and a spoken instruction, either in person or by phone. For transfers above a given limit the phone instruction should require the CFO to call back for confirmation.

    Yes, it requires a few minutes of CxO time but even CxO time isn't really priced at that level is it? The board should really have asked questions about that. Questions such as "How can you justify your continued employment?" and "How are you going to pay back what your carelessness lost?"

    1. phuzz Silver badge
      Facepalm

      "How are you going to pay back what your carelessness lost?"

      That's optimistic, I'd assume the solution would be no bonuses for anyone below boardroom level. After all, think of the emotional distress that poor CFO endured, he probably deserves a raise.

  7. Anonymous Coward
    Anonymous Coward

    Wow. Click bait.

    Exchange allows multiple protocols to connect it it. Including legacy protocols like SMTP, POP3, IMAP etc. It also includes older Ms Office clients which were built before modern authentication methods were developed. This is well documented and Microsoft guidance is to disabled access via these protocols through ADFS or Conditional access. Microsofts own mobile client, office apps, and all browsers support modern Auth and CA rules. It's the orgs choice what they choose to support as part of their security posture.

    What is more concerning is how proof points unimpressive CASB is supposed to solve this problem. It won't and they lack a world class Identity and Access Management solution (unlike Microsoft who has Azure AD) to truly address identity.

    Brute force, password spray attacks and other identity attacks are dramatically rising. I agree. But use the right technology to address it this is just a marketing campaign to try to dump people in believing a 2nd class CAS is the answer. If you want identity protection use Azure ad. If you want a Cas, we'll Microsoft has that too and it integrates nicely with O365.

    1. sitta_europea Silver badge

      Re: Wow. Click bait.

      "Exchange allows multiple protocols to connect it it. Including legacy protocols like SMTP, POP3, IMAP etc. ..."

      SMTP is a legacy protocol? Interesting.

      Exchange can't even get SPF right.

      1. TheVogon

        Re: Wow. Click bait.

        "Exchange can't even get SPF right."

        ? SPF worked just fine in the many organisations I have worked for.

      2. P. Lee

        Re: Wow. Click bait.

        IMAP is legacy? Ok you should run it over tls but that would seem to be a disingenuous distinction.

        Maybe legacy=non-proprietary?

    2. Anonymous Coward
      Anonymous Coward

      Re: Wow. Click bait.

      Our site allows webmail (OWA) and there's no 2FA with that. For anyone who doesn't know, with OWA you log in with domain name, Windows user name, and password. The Windows user name is easily guessable from the e-mail address. The only thing that's holding the hordes out is the domain name itself which is inevitably going to leak out if it hasn't already and isn't too difficult to guess.

      Our phishing advice is not to trust external domains. If that advice were followed, nobody could do their work because we use about ten of them. Users use their corporate e-mail address or Windows user name to log into these domains, and they'll probably end up using their Windows password as the password for everything because some external domains use Windows SSO which does require the Windows password, and some don't.

      Unless the company gives everyone SecurID or similar or gives everyone a corporate mobile with some 2FA app on it, this won't get fixed. And that's not going to happen because it costs too much. Certainly MS' alleged "world class Identity and Access Management solution" doesn't address these problems.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow. Click bait.

        Microsoft's IAM solution absolutely does deal with all the issues that you have just described.

        Exchange Online OWA can be protected with cMFA.

        Applications and services using SSO or federation to Azure AD can be protected with cMFA.

        Azure IaaS and on-premises applications that federate to 'traditional' active directoey can be protected by Azure Multi-factor authentication.

        Your organisation failing to turn on the features provided to them is not Microsoft's fault.

  8. Kev99 Silver badge

    There's an old expression about secrets - The only way to keep a secret between two people is to kill one of them. This holds true with computer security.

    1. TheVogon

      "The only way to keep a secret between two people is to kill one of them. This holds true with computer security."

      You could have half the secret each?

  9. katrinab Silver badge

    There's an easier way

    Someone registered a mis-spelled version of our domain name, and used it to send an email apparently from the CEO requesting a money transfer.

    Our CEO just does not do this, so he got a very confused member of staff asking what she was supposed to do with the request.

    1. Doctor Syntax Silver badge

      Re: There's an easier way

      "Our CEO just does not do this"

      That's the way to deal with the problem.

  10. jason 7

    I'm setting up a consultancy firm...

    we will be pushing a revolutionary idea that will beat all the cyber attacks.

    The totally paper office.

    At least the f*ckers have to have the balls to physically break into the office!

  11. Anonymous Coward
    Anonymous Coward

    And I have access to two O365 networks with tons of addresses. Perhaps I should do an "anti-phishing" campaign where I mass-mail everyone about this issue.

    That is, because

    1- Both have 2 Factor Authentication disables by their incompetent sysadmins

    2- I already managed to gain admin rights with a pico phishing campaign just to see how bad things could get (admin gave me admin password and I just had to ask, that was delightful)

    Almost every week we hear about compromised networks, compromised data and all, and we hear about encryption, better security... but we still haven't patched the most important security flaw that plagues electronic systems since their conception:

    Digital illiteracy and plain stupidity.

    Any random guy can get anything on the internet, provided he uses the right words. But still, people who have critical data and important accounts are still not taught how to secure their systems. In schools, college and university, some curriculums have classes to teach you how to use O365. Part-time "technological actualization" classes teach you how to use Windows 10 and Office 2016 (or whatever Linux and LibreOffice your enterprise uses).

    But never you are taught how to secure your stuff. Never you are taught about attacks, phishing, viruses... And some, if not most, office workers hate their job so much they won't waste time asking someone about computer security

    1. P. Lee

      Re:Digital illiteracy and plain stupidity.

      Actually if you use proper 2fa like securid with physical tokens and you run a proper vpn, then most of these problems evaporate.

      Ah, you don't want to spend on security? It's slightly inconvenient? Well now we know how much your company values the services it exposes.

  12. Pascal Monett Silver badge
    Thumb Down

    I always love these tales of companies losing money because of a mail

    It tells me two things :

    1) the company is not using a CRM, does not have client/supplier account numbers on file and

    2) nobody bats an eye when getting a mail telling them to wire money to account 0123456789, instead of "wire this amount to client/supplier XXXX using the already recorded IBAN we have"

    They deserve everything they get.

    1. katrinab Silver badge

      Re: I always love these tales of companies losing money because of a mail

      It tells me that the CEO doesn't follow their own rules

  13. Gerard 1

    iOS DOES support Modern Authentication

    "The tech can't support native iOS/Android mail clients, etc"

    Since iOS 11, the native client has supported modern authentication. The Outlook app is still preferred but you can use native.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like