[German]That does not sound very good. Newly discovered vulnerabilities in Microsoft 365 make it possible to bypass multi-factor authentication. Security researchers from Proofpoint have just released this information.
Proofpoint security researchers have recently discovered critical vulnerabilities in the implementation of multi-factor authentication (MFA) in cloud environments where WS Trust is enabled. The vulnerabilities were announced by Proofpoint and demonstrated at the Proofpoint Protect virtual user conference. It is highly likely that these vulnerabilities have existed for years. The security researchers tested several Identity Provider (IDP) solutions, identified the vulnerable solutions and resolved the security issues.
These vulnerabilities could allow attackers to circumvent multi-factor authentication (MFA). This makes it possible to access cloud applications that use the protocol. According to proofpoing, this particularly affects Microsoft 365.
The security researchers write that because of the way Microsoft 365 session login is designed, an attacker could gain full access to the target’s account. This includes email, files, contacts, data, and more. Furthermore, these vulnerabilities could also be exploited to gain access to various other cloud services provided by Microsoft, including production and development environments such as Azure and Visual Studio.
The vulnerabilities arose from the inherently insecure protocol (WS-Trust) as described by Microsoft, combined with various flaws in its implementation by the IDPs. In some cases, an attacker could spoof his IP address to bypass MFA via a simple request header manipulation. In another case, changing the user-agent header caused the IDP to misidentify the protocol and believe it was using Modern Authentication. In all cases, Microsoft logs the connection as “Modern Authentication” because the exploit switches from the old protocol to the modern one. In ignorance of the situation and the risks involved, the administrators and security experts who monitor the tenant would consider the connection to have been made using “Modern Authentication”.
Vulnerabilities require some research, but once discovered, they can be exploited automatically. They are difficult to detect and may not even appear in the event logs, leaving no trace or indication of their activity. Since MFA can be bypassed as a preventative measure, it becomes necessary to take additional security measures in the form of detection and remediation of account violations. See the Proofpoint article for more details.