Monday, February 24, 2025

It happened. Someone intercepted a SMS MFA request for the CEO and successfully logged in.

 https://www.reddit.com/r/sysadmin/comments/1ivz152/it_happened_someone_intercepted_a_sms_mfa_request/?share_id=psImgA6DspEXUTwAyMnKi&utm_content=1&utm_medium=android_app&utm_name=androidcss&utm_source=share&utm_term=1&rdt=46341 

I summarized all comments here

  • Implement Phishing-Resistant MFA:
    • Use device-bound passkeys.
    • Utilize FIDO2 security keys. These are considered especially useful if you need to support logins from unmanaged devices.
    • Consider Entra Certificate-Based Authentication (CBA), but note it requires PKI understanding and can be complex to set up.
  • Disable SMS MFA:
    • SMS is not secure and has known vulnerabilities.
    • Consider alternatives like Microsoft Authenticator, security keys, or Windows Hello.


  • Conditional Access Policies (CAP):
    • Enforce device compliance by allowing logins only from Intune-compliant devices.
    • Block logins from outside the user's normal country if they are not traveling.
    • Block medium or high-risk sign-ins.
    • Use CA to encrypt tokens to the hardware to make them harder to use if stolen.
    • Block access from consumer VPNs.
    • Implement risk-based CA policies.
    • Require phishing-resistant MFA.


  • Monitor and Audit:
    • Enable risky sign-in monitoring.
    • Regularly review audit logs for any unusual activity.
    • Set up alerts for new users, mail rules, and admin account changes.
    • Review email and audit logs to determine if any actions were taken on the user's behalf.
    • Check for new applications being added to the account.
    • Look for forwarding rules that were established to maintain access.


  • Device Security:
    • Disable iCloud Private Relay at an MDM level on corporate-managed devices.
    • Block access to known proxy addresses.
    • Run security scans on devices, especially phones and laptops.


  • Account Security:
    • Require TAPs (temporary access passes) to add MFA devices.
    • Disable SSPR (self-service password reset) for non-admin accounts.
    • Educate users about phishing and other threats.


  • Network Security:
    • Block all but signed apps with low-risk permissions.
    • Geo-blocking entire countries at the firewall level.

  • Other Considerations:
    • Consider that a compromised iCloud account can be used to intercept SMS messages.
    • Be aware of SS7 vulnerabilities.
    • Infostealer malware can compromise non-corporate devices.
    • Token theft is a common attack vector.
    • Threat actors are using AiTM (Adversary-in-The-Middle) attacks.
    • Legacy authentication should be blocked in Conditional Access.
    • Ensure that users cannot add unauthorized apps.

  • Rapid Response:
    • Revoke MFA tokens in Entra ID.
    • Force logout and change the password immediately upon suspicion of compromise.
    • Revoke all sessions.
    • Block sign-in and revoke sessions in Entra, then rotate the password.




  • AAD P2 License: It is recommended to pay for an AAD P2 license for C-level executives and enable risky sign-in monitoring and the CAPs (Conditional Access Policies) that support it.
  • Conditional Access (CA) policies: Microsoft needs you to buy the Entra ID P2 license to add the CA policy that blocks session hijack from another new IP.
  • The original poster (OP) mentions they are a relatively small company and the cost of upgrading to Business Premium to get Intune licensing would cost roughly $50k more a year.

Other ways that Conditional Access policies can help in protecting against attacks:

  • Use CA to encrypt the tokens to the hardware to make them much harder to use if stolen.
  • Use a Travel group to allow access to email outside your countries IP GeoBlock and lock down any other access from outside countries where employees and contractors live.
  • Set shorter token expiry for users authenticating from traveling locations.
  • Block access from Consumer VPN's.
  • Unless you’re requiring phishing resistant MFA, it is highly recommend a conditional access policy to only allow logins from hybrid joined or compliant devices.
  • Risk based CA policies would’ve got the job done.
  • Make sure Legacy authentication is blocked in your CA. If this is not blocked, MFA can easily be bypassed.
  • Enable access from company managed devices only even if they have a successful MFA or steal am access token they still can't access the account.


at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Across the Academy