Bugs in the multi-factor authentication system used by Microsoft’s cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system, according to researchers at Proofpoint.
The flaws exist in the implementation of what is called the WS-Trust specification in cloud environments where WS-Trust is enabled and used with Microsoft 365, formerly called Office 365. WS-Trust is an OASIS standard that provides extensions to WS-Security and is used for renewing and validating security tokens, brokering trust relationships – part of a secure message-exchange architecture.
The Organization for the Advancement of Structured Information Standards (OASIS), is a non-profit consortium that promotes open standards in security.
The issue, researchers said, is that WS-Trust is an “inherently insecure protocol” and that Microsoft Identity Providers (IDPs) implemented the specifications with various bugs.
“Due to the way Microsoft 365 session login is designed, an attacker could gain full access to the target’s account (including mail, files, contacts, data and more),” Itir Clarke, senior product marketing manager for Proofpoint’s Cloud Access Security Broker, in a report posted online Tuesday. “Furthermore, these vulnerabilities could also be used to gain access to various other Microsoft- provided cloud services, including production and development environments such as Azure and Visual Studio.”
She said the Microsoft implementation of the standard gives attackers a number of ways to bypass MFA and access its cloud services, paving the way for various attacks–including real-time phishing, channel hijacking and the use of legacy protocols.
“In some cases, an attacker could spoof [an] IP address to bypass MFA via a simple request header manipulation,” she wrote. In another case, Clarke said, an attacker could alter the user-agent header and cause the Identity Provider to misidentify the protocol.
“In all cases, Microsoft logs the connection as ‘Modern Authentication’ due to the exploit pivoting from legacy protocol to the modern one. Unaware of the situation and the risks involved, the administrators and security professionals monitoring the tenant would see the connection as made via Modern Authentication.”
Proofpoint said they tested a number of IDP solutions, discovered those that were susceptible, and mitigated the issues.
The WS-Trust protocol, Proofpoint said, opens the door for attackers to exploit Microsoft 365 cloud services to multiple attack scenarios. One is by spoofing an IP address to bypass MFA via a simple request header manipulation.
Another case would be to alter the user-agent header caused the IDP to misidentify the protocol and believe it to be using Modern Authentication, Clarke wrote.
MFA, A Growing Target
With many organizations relying more on the use of the cloud due to increased work-at-home scenarios because of the COVID-19 pandemic, MFA is becoming a “must-have security layer” to protect these environments from the myriad threats that have cropped up, Clarke noted.
“Employees started accessing corporate applications from personal and unmanaged devices,” she wrote. “And they started spending more time on their corporate devices at home, reading potentially malicious personal emails, or browsing risky websites.”
Increased reliance on MFA also means, however, that the feature is even more attractive for threat actors to exploit as a way into corporate networks, making mitigation of vulnerabilities that affect MFA critical to security, Clarke added. This could mean organizations must add other protections to mitigate risks and attacks, such as combining MFA and threat visibility to secure cloud environments, she said.
Indeed, the flaws identified by Proofpoint aren’t the first time attackers have exploited the use of MFA in Office 365. Researchers at Cofense observed a phishing campaign in May that also bypassed MFA in the cloud collaboration service to access victims’ data stored on the cloud. That tactic leveraged the OAuth2 framework and OpenID Connect (OIDC) protocol and used a malicious SharePoint link to trick users into granting permissions to a rogue application.
More recently this week, Microsoft 365 also faced another phishing attack–this one using a new technique to make use of authentication APIs to validate victims’ Office 365 credentials–in real time–as they enter them into the landing page.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.