Following our first blog in our ‘Securing Cloud Identities in 2023’ series, which covered MFA Fatigue, the next in this series will go into how you can create phishing resistant authentication.
Before we dive into this blog, I must first correct the rollout timeline for Number Matching disclosed within Part 1 of this mini-series. Microsoft originally communicated they would start forcibly enabling number matching for tenancies in February 2023, but that has since been delayed to May 2023 and the organic rollout will be an inconsistent experience until your tenant has been fully enabled, so if you haven’t already done so, you are strongly encouraged to start your proactive rollout today.
Okay, let’s get into Part 2…
Imagine a scenario where a user receives a phone call from their IT team informing them their account was compromised, and that they will send a code to their phone which they must provide back to the friendly IT operative to pass their ID check and in turn provide them with their new password. What about if that call was actually an attacker, who has just phished the user’s Azure MFA number matching authentication code? Sound a little far-fetched? Microsoft’s Detection and Response Team (DART) have witnessed an increase in attackers utilising these phishing techniques, as well as token theft attacks, such as pass-the-cookie.
The way the cookie crumbles
Everyone loves cookies, but nobody more than attackers it seems. Pass-the-cookie is an attack method being used by bad actors to seize an authenticated session cookie, bypassing all MFA controls. Unlike most identity attacks which steal a user’s credentials, usually via phishing, pass-the-cookie attacks seize the session cookie after a user has already authenticated and inject it into a web browser on a different machine.
Session cookies allow web applications such as Office 365 to store authentication information, which helps to keep you signed in and avoid constant authentication prompts each time you navigate to a new page. So how is the cookie stolen in the first place?
‘Man-in-the-middle’ is an old attack method where traffic between the client and server is intercepted and remains the most likely method for stealing the session cookie. This is usually through a malicious proxy server, compromised Wi-Fi network or local browser cache if the user’s local system has become infected with malware. Once injected into the attacker’s own browser, the session remains valid for the lifetime of the seized cookie.
Take your hands out my cookie jar!
If you’re sat there wondering what action you can take to keep your prized cookies safe, you’re in the right place! Like most security vulnerabilities, there is unfortunately no silver bullet, but instead a layered approach to reduce the likelihood of a successful attack.
Reducing Azure MFA Prompts
This may at first seem a little counterintuitive but consider reducing the prevalence of Azure MFA prompts your users see throughout their working day. Where you can confidently rely on alternate means of two or more types of authentication (such as a password and an Intune compliant, corporate device), consider removing the additional requirement for Azure MFA. By making human behaviour less autonomous and encouraging the user to stop and think when they are occasionally asked to approve a sign-in via Azure MFA, may just help prevent them becoming fatigued.
Enable Number Matching
I’ve said it before and this is the last time you’ll hear me say it – enable Number Matching in your tenant now. It's going to be turned on by Microsoft in a few months anyway, so what are you waiting for? Take back control of the rollout and enhance your MFA security today!
Solutions such as FIDO2 security keys and Windows Hello for Business are considered ‘phishing resistant’ forms of authentication, since there are no ‘secrets’ held by the user which could inadvertently be shared with a bad actor. Instead, the secret is either physically held by the user, or securely stored within the managed device’s TPM chip. Windows Hello for Business works across hybrid environments with an on-premises Active Directory too and the introduction of Cloud Kerberos trust last year makes the implementation far simpler than before.
Reduce Cookie Lifetime
On non-corporate (BYOD) devices, disable browser session persistence (a.k.a ‘keep me signed in’). This will prevent cookies being retained once the browser is closed and reduce the likelihood of cookie theft from the local device cache by malware. Additionally, increase the sign-in frequency on these unmanaged devices to require a user to reauthenticate more frequently.
Protecting the Crown Jewels
Finally, for access to your crown jewels – we’re talking finance applications and other attractive targets for the bad guys – consider restricting access exclusively to phishing-resistant methods of authentication such as FIDO2 and Windows Hello for Business, from corporate-owned managed devices.
Get in touch with us today for a free M365 health-check, or for a consultant-led in-depth review of your cloud authentication strategy.