Phishing-Resistant MFA Proves Again That Weak Links Should Be Layered with Defense
Cybersecurity is a constant game of the cat chasing the mouse. The cat (a business) continues to believe that with each new plan of attack (i.e., security strategy or tool), it will finally be able to catch the mouse or, in this case, harden its security posture enough to prevent the mouse (a bad actor) from stealing the cheese (penetrating infrastructure). However, as Tom and Jerry have shown us, it’s a near impossible task, and the cat always comes up short, no matter how clever or foolproof its plan seems.
No specific example illustrates this better than multi-factor authentication (MFA). Although it was once hailed as the best solution to combat and protect against an onslaught of phishing attacks, one of the biggest cyber issues of all, the evermore inventive mouse (threat actor) has now found a way to exploit MFA, making the cheese (credentials and session) easy to steal regardless of the trap.
So, what should companies do if MFA, which has been offering solid protection since the early 2000s, is no longer enough?
How MFA became the go-to solution
Threat actors are evil; there’s no doubt about that. But in truth, the biggest issue of online fraud is human error, which often happens from within a company and without any malicious intent. Employees move through their days quickly and often let down their guard, carelessly clicking a link or visiting a website, opening the gates for hackers.
When MFA was first introduced decades ago, many consumers felt it was too cumbersome to use regularly, and corporations found it too expensive and complex to implement. Early two-factor authentication (2FA) required a user to use a key fob that displayed a short numerical code that needed to be added to passwords before someone could enter a protected system. It was a clumsy process with too much friction for mass adoption.
In 2004, as phishing scams were on the rise, Bill Gates predicted that a single password would no longer be sufficient as a means of protection and that identity management would become a significant headache for security professionals. Of course, he was right. As account-based services grew, so did hacking attempts, many initiated through phishing scams.
Just six years later, Google revealed that it had been the target of hacking from the Chinese government, which was intent on gaining access to email accounts belonging to human rights activists. The discovery led Google to alter its security practices. Within the year, the company introduced 2FA to business accounts, followed by personal accounts a few months later. With the introduction of the smartphone and easy access to Google’s authentication app, much of the friction was removed.
MFA was able to prevent many phishing breaches by requiring people to enter at least two security factors such as knowledge (a password), possession (something you have like a mobile device), and inherence (like biometrics). The combination of unique pieces of information created what was, for decades, a secure layer of defense that hackers couldn’t bypass.
The MFA attack that shook the security world
Like all other security systems and tools, hackers eventually found a loophole for bypassing MFA. Recently, Microsoft announced that over 10,000 businesses were the targets of a massive series of phishing attacks, allowing hackers to access inboxes via follow-on business email compromise (BEC) attacks.
Hackers hijacked the Microsoft Office 365 authentication process, including those that required MFA, by using landing pages that spoofed the Office authentication page. Many attacks used phishing emails with HTML attachments that acted as HTML redirectors, creating man-in-the-middle agents, allowing them to steal credentials and session cookies. They could skip authentication processes, including MFA, and launch BEC campaigns with that information.
Don’t discount MFA, bolster it
When police solve crimes, they rely on multiple pieces of evidence – eyewitness reports, DNA, crime scene materials, etc. No one piece of evidence is ever enough. Proper cybersecurity needs to be addressed in the same way with a multitude of layers, tools, and solutions.
There are several tactics security professionals can turn to. The first is to use phish-resistant MFA solutions, which require certificate-based authentication and Fast ID Online v2.0. Additionally, security professionals should implement conditional access policies to block threat actors if they try to use stolen cookies. Monitoring systems for suspicious sign-ins needs to become routine.
When combined, all of those practices can provide a proactive security structure. They may not enable the cat to kill the mouse outright, but they will undoubtedly handicap the mouse enough to trap it and stop it in its tracks before it can do real damage.
Security in a changing world
According to Verizon’s 2021 Data Breach Investigation Report, phishing is one of the most prominent security threats, accounting for 36% of last year’s security threats, up from 25% in 2020. As companies continue to employ dispersed teams, scale cloud operations and expand their attack surfaces, security needs to be top-of-mind every day, all day.
Remember, MFA isn’t a weak tool. Don’t throw the baby out with the bathwater. It still serves as an essential security measure and hopefully catches people’s attention, heightening their awareness. After the Microsoft attacks, what professionals should consider is that MFA should be a single part of a varied, tech agnostic stack coupled with multiple tried and proven security processes.
Tools and services are a means to an end though ultimately, it’s how a company uses its entire security tech stack that will guarantee its security or present it with surprising security pitfalls. By continually examining security posture through the lens of “always assume you’ve already been hacked,” security experts can evaluate procedures, discover vulnerabilities, and put the right measures in place to exterminate the mice.