Trend
Identity
Adversaries are sparking all sorts of identity crises by intercepting MFA requests and other user authentication mechanisms.
Pairs With This Song
Threat Sounds
Adversaries have multiple avenues of circumventing authentication mechanisms to impersonate users, kind of like when Rihanna covered this Tame Impala song and everyone thought it was an original.
Analysis
Users continue to be the weakest link in the initial chains of compromise we investigate. Virtual identities used by humans are the critical enabler of breaches that lead to intellectual property theft, ransomware, and cryptomining, to name just a few. It’s critical for defenders to adopt detection technologies and strategies that thwart identity compromises earlier in the intrusion chain.
In 2022 adversaries demonstrated their talents for circumventing several types of identity verification technologies that security teams use to prevent unauthorized use of compromised credentials. Namely, adversaries got smarter in their approaches to circumventing multi-factor authentication (MFA) and geographic/trust-based detection heuristics.
In most scenarios, their techniques tricked end users into accepting “ghost” MFA requests, commonly through a technique known as MFA Request Generation, which we’ve covered in depth in the techniques section of this report. In brief, it involves a victim yielding to the annoyance of MFA prompts that they just want to go away, inadvertently enabling initial access for an adversary. In cases where adversaries failed to gain access to systems after initial MFA bypass, they often abused the trust of public cloud infrastructure to bypass single points of failure in static geographic or hosting provider checks performed by identity access management systems.
Siphoning data from Office 365
In 2022 we observed an increase in account compromises targeting Office 365. Adversaries appear to be prioritizing data theft in these operations, ranging from email collection and data exfiltration to full-on employee impersonation in hopes of committing financial fraud. These attacks almost always originated from an account login from an unusual location. In such instances, an adversary login would have unusual attributes, such as logging in from a net new IP address not seen before for a given identity, as well as other, secondary outlier attributes like mismatched User-Agents or never-before-seen device types or geo IP locations. These initial logins were almost always reported from the Office 365 Exchange Online workload type in the Azure audit logs, but we also saw other Azure application types being abused. Below is a breakdown of the identity compromise sources we observed, organized by Azure Application IDs and their respective application name:
| Application ID | Application name |
|---|---|
| Application ID: 00000006-0000-0ff1-ce00-000000000000 | Application name: Microsoft Office 365 Portal |
| Application ID: 00000002-0000-0ff1-ce00-000000000000 | Application name: Office 365 Exchange Online |
| Application ID: fb78d390-0c51-40cd-8e17-fdbfab77341b | Application name: Microsoft Exchange REST API Based PowerShell |
| Application ID: d3590ed6-52b3-4102-aeff-aad2292ab01c | Application name: Microsoft Office |
Take action
Protecting and monitoring for compromised identities is not an easy task, but defenders have options to stay one step ahead of adversaries trying to gain access to accounts.
Phish-resistant MFA
To be clear, any form of MFA is going to be better than just using passwords alone to verify someone’s identity. But as we’ve learned in 2022, adversaries are persistent and will eventually trick a human into accepting a request if they try hard enough. This is where phish-resistant MFA comes into play. The main difference between traditional MFA and phish-resistant MFA is the human element. Phish-resistant MFA trusts humans less, sometimes even eliminating or replacing them entirely with hardware-based indicators of identity. A White House mandate from early 2022 will require phish-resistant MFA for employees and contractors across the federal government by the end of fiscal year 2024.
Number matching
Phish-resistant MFA may not be an option for every organization but defenders have another opportunity to fortify their existing MFA technologies. With traditional “push” MFA verification, defenders can layer in number matching as part of the push verification process. This mitigates human fatigue by actually forcing the user to do something: input the numbers they see into the authentication application. With number matching implemented, users cannot approve an MFA request without visiting the identity provider login screen and inputting the numbers shown.
Conditional Access Policies and device trust
Layering preventive identity controls into your Cloud/SaaS applications is one of the most effective defense mechanisms against identity theft. Conditional Access Policies (CAP) are a set of identity and device signals that can be leveraged to create logic upon a successful identity authentication. As an example, Microsoft provides a set of Conditional Access templates that cover some of the most important, high-risk scenarios such as:
- Default deny for any authentication attempts via legacy authentication protocols
- Requiring MFA for organization administrators
- Sign-in risk-based MFA enforcement
- Default deny for unknown devices accessing company resources
By layering in these risk-based identity prevention capabilities, defenders will make successful identity compromise much more difficult, a concrete example of how to enforce high-impact, zero-trust technology within your organization.
Testing
Atomic Red Team has a variety of tests that security teams can run to validate and improve their defense controls for detecting and preventing identity abuse. The following five are a great starting point. Run them and then examine whether or not you managed to detect, prevent, or observe the suspicious activity.