Microsoft tells how hackers managed to steal identifiers in more than 10,000 structures, thanks to a server posing as legitimate and mimicking the behavior of Azure Active Directory. A way of remembering that despite its obvious interest, the MFA is not the alpha and omega of security.
Multi-factor authentication is a security staple today. The examples are numerous and rely, most of the time, on the smartphone. The principle is simple: in addition to requesting the username and password, the service contacted requires additional information, most often a six-digit code provided by an Authenticator-type application or sent by SMS. In some cases, like at Blizzard, authentication is handled by a dedicated application, which generates a notification to report the pending request.
But this authentication, which makes fraudulent access much more complex, does not make it impossible. Absolute security does not exist, and that was precisely the subject of a recent report published by Microsoft.
The publisher describes how a group of hackers succeeded in stealing identifiers from a large number of companies and other structures, by inserting themselves between the customers and the legitimate Azure Active Directory server, in an AiTM (adversary -in-the-middle, derived from man-in-the-middle). This BEC (business email compromise) campaign has reached thousands of companies by targeting Microsoft 365 accounts, for which it was specifically tailored.