WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

How Attackers Bypass Office 365 MFA Checks: What Pentesters Need to Know

Vulnerabilities enable hackers to bypass Office 365 multi-factor authentication checks. Bad actors can use various attack methods, including adversary in the middle (AitM), session token hijacking, and phishing. Identity thieves can use this vulnerability to access user accounts, move laterally within systems, escalate privileges, transfer funds, and perform other malicious actions.

In this guide, we'll cover what pentesters need to know about this critical vulnerability in Office 365. We'll cover:

  • What bypass exploits are
  • Potential attack vectors
  • Risk and security implications of this exploit

As we will see, multi-factor authentication bypass form just one category of bypass exploits. To put Office 365 MFA bypasses in context, we'll start with a broader look at bypass exploits.

What Is a Bypass Exploit?

Bypass exploits (authentication bypass) leverage vulnerabilities in user authentication procedures to gain unauthorized access to accounts and devices. A bypass exploit differs from other attack methods by relying on evasion of authentication checks to compromise users. It does not depend on stealing user credentials, although it may set the stage for credential theft.

Bypass exploits allow attackers to follow up with various malicious actions. Attackers may use bypass exploits to escalate privileges, install malware to change system settings, steal or destroy data, or seize control of system admin accounts.

Bypass Exploit Example 1:Cookie Hijacking

For an example of a bypass exploit, consider a scenario where an attacker intercepts a Microsoft user's access credentials by using session cookie hijacking. Session cookies store the encryption keys used to secure communication channels between parties. Unfortunately, encryption won't stop an attacker from eavesdropping if they've stolen the cookie. This can happen easily if the employee's device has been compromised. For instance, devices may be vulnerable to compromise if:

  • The device uses outdated hardware
  • The user hasn't applied the latest security patches
  • The device isn't running an antivirus scanner

Now let's say an attacker compromises the employee's smartphone by sending them a phishing email posing as customer support and getting them to click on a link that downloads malware to their device. The malware runs a code that extracts the user's cookie from their browser. The attacker can now log into the user's Microsoft account.

Bypass Exploit Example 2: Water Hydra Targets Microsoft Internet Shortcut File Vulnerability

A more complex illustration of bypass exploitation comes from a recent attack initiated by the advanced persistent threat (APT) group Water Hydra (Dark Casino). In December 2023, cybersecurity provider Trend Micro began tracking an attack targeting financial market traders using Microsoft. The attack exploited the CVE-2024-21412 Internet shortcut file vulnerability to install DarkMe trojans on compromised devices.

DarkMe is a type of Remote Access Trojan (RAT). Once installed, DarkMe steals data from user devices and executes commands received from a remote control and command server. DarkMe steals data about the user's computer name, username, active window name, country name, and antivirus product. It sends this information to the control and command server. The server then begins sending commands to the infected device and creates a persistence entry to maintain a connection.

WaterHydra used a combination of methods to lure targets to websites hosting the DarkMe malware:

  • Links to servers hosting DarkMe trojans
  • Spearphishing on forex forums with messages and JPEG images containing links to WebDAV extensions
  • Internet shortcuts hidden in PDF files

WebDAV extensions allow browser users to use HTTP to collaborate in creating content on web servers. They effectively turn web pages from read-only media into writeable collaborative media. This enables bad actors to poison server resources by exploiting compromised users.

Internet shortcuts allow desktops to add icons linking to websites. Attackers can exploit Internet shortcuts to direct users to malicious sites. This can set the stage for malware to be downloaded to the user's device.

Using these methods, Water Hydra set victims up for a defense evasion attack bypassing normal security checks. To execute this attack, Water Hydra constructed an Internet shortcut URL that contained another Internet shortcut within the target link. This concealed URL bypassed Mark of the Web (MotW) detection procedures Microsoft Defender SmartScreen had set up in a previous security patch.

By evading SmartScreen, the shortcut launched a Microsoft Software Installer (MSI) file loading the DarkMe malware. DarkMe began running in the background, betraying no obvious trace to the user.

Potential Attack Vectors

Attackers may use various vectors to launch bypass exploits. These include:

  • Bypassing login pages
  • Adversary in-the-middle attacks, including session hijacking, phishing, and SIM swapping
  • WebDAV extensions and Internet shortcuts

Bypassing Login Pages

Attackers may use a variety of methods to bypass login pages and log in as administrative users. One of the most common methods is SQL injection. Databases often list the administrative user as the first user. To exploit this, attackers may enter an SQL query into login page username fields that logs them in as the first user, giving them administrative access.

Mitigation strategies for this type of bypass include SQL injection defenses, such as:

  • Using prepared statements with parameterized queries
  • Properly constructing stored procedures
  • Validating allow-list input

Adversary in the Middle Attacks

Adversary-in-the-middle attacks intercept traffic between users and servers. AitM attacks differ from man-in-the-middle attacks that intercept traffic between users, devices, or users and applications or servers. Because AitM positions attackers to eavesdrop on traffic between users and servers, it can be used to intercept MFA checks. Three of the most common AitM attacks used to bypass MFA are session hijacking, phishing, and SIM swapping:

Session Hijacking

In session hijacking (transmission protocol control or TCP hijacking), attackers impersonate users by stealing the session keys used to encrypt and decrypt communications between parties. For instance, attackers may impersonate web users by intercepting HTTP cookies.

Session hijacking mitigation strategies include session management best practices such as:

  • Using strong session IDs
  • Keeping session IDs out of URLs
  • Rotating IDs after sessions
  • Disallowing Javascript for session cookies
  • Setting cookies to expire

Phishing

Phishing attacks (MFA bombing or MFA spamming) can be used to trick end-users into falling prey to MFA bypasses. A common phishing MFA bypass method is push fatigue (alert fatigue), which bombards the user with MFA prompts until they respond to one deliberately or accidentally.

Push fatigue attacks may unfold in stages. For instance, the Evilginx framework lets attackers send MFA prompts from malicious sites after a user has been tricked into supplying a password to the site. The attacker sets up a site impersonating a legitimate site and lures the phishing target into entering their password on the site. The phishing site forwards the credentials to the legitimate site, prompting them to reach an MFA check screen. The phishing site then shows a phony version of the MFA screen to the user, prompting them to enter their MFA code. To keep the user in the dark that they've been compromised, the phishing site redirects them to another page. Meanwhile, the attacker uses their MFA code to log into the legitimate site and access their account.

MFA fatigue mitigation strategies include:

  • Limiting the number of times MFA software can send authentication checks over a given time frame
  • Limiting time allowed between MFA checks
  • Adding geolocation checks, biometric checks, or other authentication factors
  • Monitoring excessive numbers of unsuccessful MFA checks

SIM Swapping

A SIM swap (SIM hijacking) attack bypasses MFA by tricking users into transferring their mobile phone number to another device. This exploit relies on the fact that mobile phones contain subscriber identity module cards to authenticate users and store contact information.

Carriers allow subscribers to transfer phone numbers from one device to another with a different SIM card in scenarios such as device upgrades or device theft. However, attackers can use SIM swaps to transfer phone numbers to their own devices. For example, an attacker may obtain a phone subscriber's credentials and then use them to convince a phone provider that their phone has been stolen and they need a SIM transfer. Once this happens, MFA text and voice messages will go to the attacker's device instead of the legitimate phone owner.

SIM swap mitigation strategies include:

  • Requiring additional authentication such as security questions, biometric checks, or callbacks when users attempt to perform SIM swaps
  • Using secure apps rather than phone numbers for MFA
  • Deploying SIM swap detection tools

WebDAV extensions and Internet Shortcuts

This attack combination was illustrated with the Water Hydra exploit discussed earlier. Attackers with valid user credentials may use WebDAV to insert malicious code into sites. Bad actors can trick users into using malicious Internet shortcuts through methods such as disguising shortcuts as PDF files or exploiting the Windows search: application protocol.

Mitigation strategies for these attacks include:

  • Disabling WebDAV
  • Removing write permissions
  • Configuring Microsoft Exchange Online to block incoming email containing the Internet Shortcut File attachment
  • Configuring Microsoft Defender Advanced Hunting to detect suspicious URL redirection attempts

Risk and Security Implications of Office 365 Bypass Exploits

Vulnerability to bypass exploits poses serious risks for organizations using Microsoft Office 365. Security teams should prioritize mitigating this attack surface.

Risks

Office 365 bypass exploits pose severe risks. These include:

  • User compromise
  • Device hijacking
  • Malware distribution
  • Privilege escalation
  • Data exfiltration
  • Theft of personal and financial data
  • File deletion
  • Execution of fund transfers

The seriousness of these risks makes mitigation of Office 365 bypass exploits imperative.

Mitigations

While the Water Hydra attack shows that bad actors can develop methods to circumvent bypass exploit mitigation strategies, security teams can take several steps to mitigate common bypass exploit tactics and emerging risks such as WebDAV and Internet shortcut vulnerabilities. These include:

  • Replacing passwords with passkeys stored on user devices
  • Preventing users from accessing company information on personal devices
  • Enforcing non-persistent browser sessions or applying control access based on session controls
  • Restricting access to trusted IPs by applying continuous access evaluation (CAE) and applying Entra ID Protection
  • Keeping current on security patches
  • Deploying threat intelligence software to scan for suspicious files
  • Using Group Policy Objects to define high-risk extensions for antivirus scans
  • Scanning URL file targets for exploits of file:// based protocols, references to WebDAV and external Service Message Block (SMB) pathways, and anomalous URL, IconFile, and WorkingDirectory fields
  • Scanning container file formats frequently used to deliver MotW bypass malware (such as .iso, .img, .vhd, .and vhdx)
  • Monitoring and blocking attempts to access remote URL files
  • Monitoring and validating outbound WebDAV and SMB sessions involving unknown external infrastructure
  • Monitoring and blocking attempts to connect to external SMB services
  • Running offensive security tests to probe for bypass exploit vulnerabilities
  • Educating employees and customers about common bypass exploits such as push fatigue

These mitigations will help you reduce the risk of Office 365 bypass exploits.

Deploy Cobalt Pentesting to Mitigate Office 365 Vulnerabilities

As the Water Hydra attack illustrates, bad actors are working overtime to circumvent bypass exploitation security measures. Security teams must work equally hard to stay a step ahead.

Penetration testing forms an important component of Office 365 bypass exploit mitigation. Cobalt pentesting services provide you with a modern SaaS platform and access to a team of expert pentesters who can help you test your entire attack surface. The core of our team works with the Open Worldwide Application Security Project (OWASP) to develop cybersecurity best practices and help security teams intercept emerging attack strategies. Connect with Cobalt to discuss how we can help secure your network against bypass exploits of Office 365 and other vulnerabilities in your infrastructure.

Back to Blog
About Apporwa Verma
7+ years experience in DAST, SAST, VAPT, Mobile and Web PenTest, DevSecOps, GRC, with a Masters degree in Computer Science and Information Security. More By Apporwa Verma
CSRF & Bypasses
This article discusses Cross-Site Request Forgery (CSRF) attacks, a web security vulnerability where an attacker tricks an authenticated website user into performing an unwanted action, such as transferring funds or changing their email address, by exploiting the user's browser cookies. The article explains how CSRF attacks work and how attackers can bypass CSRF token validation to exploit vulnerabilities in web applications. It also discusses several techniques that can be used to bypass CSRF defense, including removing the referer header, bypassing the regex, and using different Content-Type values.
Blog
Apr 10, 2023