Hackers Evade MFA, Increase Business Email Compromise Attacks
By: Jim Stickley and Tina Davis
November 30, 2020
The ability to verify if the person logging-into a data system is whom they claim to be has been a challenge for enterprise. Hackers who use password spraying and other tricks are able to gain access to email and other accounts, and that’s a big problem for enterprise security. The FBI reports an estimated $1.77 billion in losses last year due to business email compromise (BEC). That’s almost half the entire amount of financial losses due to all cybercrime in the U.S. Authenticating a user was a challenge until MFA (multi-factor authentication) technology arrived. MFA adds layers of protection to the log-in process, with each layer adding another level of identity verification, and something enterprise has come to depend on. That is, until now.
The goal of a BEC attack is to use a compromised business email account to send fake invoices or requests for wire transfers that a bad actor hopes get paid – to them. An uptick in BEC was recently discovered by Abnormal Security Corporation (ASC), the email security platform for Office 365. They found MFA is now under attack and being bypassed by hackers, and that’s scary news for businesses. The threat ASC found, is for those organizations still using software that is outdated, otherwise called a “legacy system.” Cybercriminals can now access these business accounts and bypass a legacy system even though MFA security is in place. Because of this outdated software, even employees checking their email on a mobile system won’t be subject to MFA protocols.
In May of this year, ASC discovered an Office 365 MFA was bypassed, allowing an attacker to access a victims’ cloud data and use it for a Bitcoin ransomware attack. Options like “Log in with Facebook” and “Log in with Google” are leveraged to bypass MFA. That’s because they are already trusted applications and using them to sign into other accounts bypasses MFA protocols.
An organization using the latest software with the most recent security updates is a step ahead of avoiding BEC attacks that bypass MFA. And although it has been bypassed from time to time, it’s still always recommended to implement it if you are an organization, and use it if you’re an individual. Also, never log-in using another app’s credentials, such as those mentioned above, no matter how convenient it may be. Make sure all logins use entirely separate credentials with strong and unique passwords, something everyone can do to help secure their accounts.