Legacy protocols used to bypass Microsoft 365 MFA

Vulnerabilities in a legacy protocol and Identity Provider Solutions can be exploited by attackers to bypass multi-factor authentication (MFA) for Microsoft 365, researchers have found.

Critical vulnerabilities were discovered by security vendor Proofpoint in cloud environments that have the Web Services Trust (WS-Trust) authentication protocol enabled, which - if exploited - would give attackers full access to victim accounts including mail, files, contact and other data.

Proofpoint said that successful attacks on WS-Trust systems that take advantage of buggy Identity Provider systems could spoof internet protocol addresses with simple request header manipulation to bypass MFA.

Changing the web browser user-agent header could trick the Identity Provider to misidentify the WS-Trust protocol and think the newer Modern Authentication method is being used instead.

The security protocol is part of the Web Services family of standards, and approved by the Organisation for the Advancement of Structured Information Standards (OASIS).

Microsoft deprecated use of WS-Trust authentication in February this year, calling the protocol "inherently insecure by current encryption standards."

"The WS-Trust security protocol, when used in conjunction with a user account and password, implements an authentication flow that presents both the user Id and password to the authenticating resource in 'clear text' form, relying solely on the transport encryption to provide security for the initial leg of the authentication, until such point as the token service returns an authentication token to use," Microsoft said.

By next month, WS-Trust will be retired for new Office 365 tenants, but the security protocol won't be dropped fully until April 2022.

Leveraging legacy email protocols that don't support MFA such as POP and IMAP can also bypass the additional authentication layer for attacks on cloud accounts, Proofpoint said.

Other ways to bypass MFA include real-time phishing, Proofpoint said.

This involves an attacker setting up a proxy that mimics the authentic website victims try to log into, but which instead captures users' credentials. 

Hijacking MFA codes sent out of band to phones and computers using malware can also result in compromise.

Having better monitoring to detect account compromise and to remediate attacks may help to mitigate MFA bypasses, which has become an increasing concern as staff work from home during the COVID-19 pandemic, the security vendor said.