Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Mandiant Warns Hackers Now Use New Trick to Bypass MFA

Cybersecurity company Mandiant has discovered that hackers are using a new technique to target enterprise networks. The researchers warned that threat actors exploit multifactor authentication (MFA) to gain unauthorized access to dormant Microsoft accounts.

According to cybersecurity researchers at Mandiant, the exploit is being used in hacking campaigns by APT29 to bypass authentication. APT29 is a group of elite hackers working for the Russian Foreign Intelligence Service (SVR). The cybercriminals also operate under the names Cozy Bear, the Dukes, and Nobelium.

Specifically, the APT29 group is abusing the self-enrollment process for MFA in Azure AD and other platforms. The threat actor managed to access a list of emails and guess the password of an account that was initially set up but never used by the employee. The attacker was able to use this dormant account to access the VPN infrastructure of the victim.

“When an organization first enforces MFA, most platforms allow users to enroll their first MFA device at the next login,” Mandiant explained. “In Azure AD and other platform’s default configuration, there are no additional enforcements on the MFA enrollment process. In other words, anyone with knowledge of the username and password can access the account from any location and any device to enroll MFA, so long as they are the first person to do it.”

How to prevent MFA takeover of dormant accounts

Mandiant recommends that organizations must have security measures in place to verify a user’s identity when enrolling a new device. Microsoft recently introduced a feature that lets IT admins configure policies for MFA device enrollment. It can help to block unauthorized users from accessing dormant accounts.

Additionally, businesses can only allow users to complete the MFA enrollment process with trusted devices or enterprise networks. Security teams can also provide temporary passcodes for onboarding new employees or when the MFA device is lost.

by Rabia Noureen
Aug 22, 2022

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

How to Properly Secure and Govern Microsoft Entra ID Apps

Oct 19, 2023
Apr 17, 2024
Microsoft Entra ID App Registration and Enterprise App Security Explained

Oct 19, 2023
Apr 17, 2024
How to Use Microsoft 365 Dynamic Groups to Streamline Access Management

Jul 5, 2023
Jul 13, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.