Bypassing Multi-Factor Authentication

We’ve all been there as ethical hackers: We are provided credentials for multiple accounts, with complex passwords and multi-factor authentication (MFA) to test our customers’ environments. While that is a great sign of authentication security best practices, it creates an annoyance for pentesters. There are different ways to make it easier such as temporarily using a password manager in the testing browser which supports MFA. But what if you are not using a browser for testing? 

I recently worked at a project which involved assessing a few Azure subscriptions. The assessment required the use of two differently privileged accounts that a colleague and I had to share. The customer’s conditional access policies required us to register our devices via Microsoft’s Company Portal. Once done, we could set up our device’s Windows SSO to access company resources such as Azure Portal and Azure CLI. This was necessary to review the subscriptions’ configurations and conduct our audit. Windows SSO has the advantage that we could use Teams and Outlook applications and did not require MFA anymore unless we try to edit our Microsoft account. With that customer, the applications are more convenient to use than the browser, as the browser sessions keep getting invalidated and enforce MFA every time you log in. Now, the only step that required MFA for us, was registering our device. The Windows SSO token deals with the rest. 

How to Bypass Multi-Factor Authentication 

This is where it gets interesting: My colleague and I needed to assess the Azure environment using each other’s assigned customer accounts. To save time, we wanted to use them in a way where we would not constantly need MFA. That is where I figured out our Windows SSO tokens do not only allow us to skip MFA when using applications such as Teams or Outlook, but also when interacting with Azure CLI. This includes Intune functionality such as adding a foreign account to my own registered device. By doing so, I could use my customer account to register my device and then use my device to assign it to my colleague’s customer account. With just their username and password, I could use my Windows SSO MFA policies to bypass theirs simply using the Azure CLI’s “az login” command. 

Figure 1: HLD of the attack 

Having established that our trusted devices can be misused to bypass foreign user’s MFA, one question remains: What is the broader impact and how high is the risk, given that we still need the user’s credentials? 

Understanding the Security Impact of Bypassing Multifactor Authentication 

 The impact is always coupled with conditions. Without being an internal threat actor, we cannot do anything. Without a foreign user’s credentials, we cannot use their account. Without a foreign user’s account that has access to any sensitive information or has any personal relations we can use for phishing attacks, we cannot even exploit the compromised account. So, what can we do? 

Being in a privileged position where I test applications before they go live, I can sometimes brute-force credentials or abuse bad logging practices that store credentials in cleartext. As an outsider, it is a lot harder, but there are still plenty of dumped databases that contain credentials of users who used their work email address for private purposes. Aside from that, targeted attacks such as man-in-the-middle attacks and phishing attacks still apply. 

The best case is already covered, in which the targeted user cannot be used for further exploitation. The worst case is, that once you get the credentials of a high-value account, you not only have access to their full Microsoft 365 Suite (Teams, Outlook, SharePoint, etc.), but you also get access to all tenants that account has access to. For this customer, these allegedly included accounts with administrative privileges within other companies‘ tenants. If an attacker can compromise such an account, they could exploit that to gain access to third-party tenants, leading to data breaches and compliance violations. Legal repercussions may include fines under protection regulations as well as potential lawsuits from affected companies and reputational damage.  

Best Practices for Mitigating Multifactor Authentication Vulnerabilities 

While it is easy to look at the steps we have taken and block Azure CLI from bypassing MFA, the deeper you dive into mitigations, the more issues arise. There are a few solutions we came up with: 

• Blacklisting actions involving foreign accounts 
• Whitelisting the allowed applications and actions to be used with Windows SSO 
• Disallowing a device to be connected to more than one account 
• Similarly, disallowing an account to be connected to more than one device 

All are valid solutions that have their advantages and disadvantages, although it is highly recommended to carefully whitelist each action a user is allowed to do. By doing so, you get full control over each action unlike with blacklisting where updates can introduce bypasses. However, a company always needs to wager security and usability, because users tend to avoid manual security practices where possible, as we showcase with this article. 

Luckily, there have been changes to Microsoft’s conditional access policies allowing fine-grained control over a lot more actions. This includes the “Register or join devices” user action. I recommend checking your policies and see for yourself if you catch this edge-case. Keep in mind that using the user action requires you to turn off the MFA requirement in the Identity Device Settings as per Microsoft’s warning found here. 

Closing the Gaps in Microsoft MFA Security 

In this article, we explored how multi-factor authentication (MFA) can be exploited in a seemingly secure environment. By registering a device and using simple Azure CLI commands, it was possible to bypass MFA without the foreign user’s explicit consent or knowledge. The result includes possible data breaches, attacks to the environments integrity and availability as well as several compliance violations. The key is to continuously refine your policies and seek input from your users to create systems that are both secure and user-friendly. Exploring the ideal balance between security and usability allows you to effectively protect your organization’s sensitive information and maintain your user’s productivity.