The truth behind MFA and 365 security

An example of how MFA didn’t save the day, and an account with MFA was compromised.

MFA and 365 security is part of a journey. The first step of that journey is the discovery that security isn’t an binary situation. The question shouldn’t be “are we secure?”, rather “how secure are we?”. Seeing security from this perspective is critical to maintaining a healthy level of safety. MFA (Multi-Factor Authentication), involves extra steps to help prove that it is really you trying to access a system. This is part of the security process, but it isn’t the only process, and it is far from bullet-proof.

When undertaking a security review, we often hear comments along the lines of: “We have MFA, so we should be good”. The first comment I need to make to this type of statement is that from experience it is almost always incorrect. Many times some users in an organisation have coverage, but it is almost always never complete. At the time of writing, upon initial engagement we are yet to find an organisation that has MFA setup and activated, and enforced on every account. Even when enforced, there are often accounts that have not logged in to and set it up. CatchBefore is fantastic at raising awareness of gaps within MFA, and helping to achieve complete MFA coverage.

Once 100% MFA coverage is achieved, the security task is not yet complete. There are other areas that can provide access to data (bypassing MFA) – and, even accounts with MFA enabled and enforced are not completely secure. As an example of this: One of our clients had MFA setup on all their users, and they still ended up with a compromised account. A notification of a suspicious login was promptly detected by CatchBefore. This turned in to an notification for the client to review, and at this point it was clear that there was unapproved activity on the account. Our team helped regain control, and restored the account to health. How did this attack happen? It appears that the password used by the client was compromised, and a MFA authentication request may have been inadvertently (accidentally) approved by the end user.

The compromise was only discovered due to the suspicious login detection features of CatchBefore. Another benefit of early detection was the speed in which the situation was corrected, limiting further impact.

What is the lesson from this issue? MFA and 365 security is fantastic, but it isn’t a complete security solution. Undertaking regular security monitoring can also play a critical role in helping you manage your 365 security risks.