Secure Microsoft 365 Now to Protect Against New MFA Bypass Trick

Cybersecurity company Mandiant has discovered that an elite group of Russian hackers, otherwise known as the APT29 group, is using a new technique to target enterprise networks. The researchers warns that the hackers are exploiting multifactor authentication (MFA) to gain unauthorized access to dormant Microsoft accounts.

Accessing dormant Microsoft 365 accounts

MFA is a security protection used in addition to passwords. It requires users to have something in their possession, usually a verified authenticator device like a security token or authenticator app on a mobile phone. Providing something you have as well as something you know, like a password, considerably reduces the risks of account compromise.

Before a user can use MFA to log into their account, they need to enroll for the service. The APT29 group is abusing the self-enrollment process for MFA in Azure AD, which is the identity management service used by M365 and other online services, and other identity management platforms.

The hackers managed to access a list of emails and guess the passwords of the accounts using a brute force attack. Microsoft’s risky sign-in protections weren’t activated because the hackers are launching the attack from Azure virtual machines, which use a range of IP addresses assigned to Microsoft, using already compromised accounts or purchasing access to the VMs. So, it’s difficult for Microsoft’s detection systems to identify the behaviour as risky.

And because there are no additional enforcements on the MFA enrollment process configured by default, once the hackers know the account password, they are able to configure MFA and log into the account. In short, anybody who manages to get an email address and password can complete MFA enrollment from any location and any device, providing that they are the first person to do it.

Preventing attacks that abuse the MFA self-enrollment feature

While this new type of attack, where hackers use dormant accounts to get access to your organization might seem alarming, there are some things you can do to prevent it.

  1. You can apply a conditional access policy to restrict the registration of MFA devices to only trusted locations or trusted devices. But while MFA can be used to protect accounts on all AAD tiers, conditional access policies are only available to organizations with Premium P1 and P2 subscriptions.
  2. Alternatively, you can also require MFA to enroll MFA. You can get your help desk to issue users with a Temporary Access Pass when they first join. The pass can be used for a limited time to log in, bypass MFA, and register a new MFA device.


Microsoft recommends using MFA. And while, as Mandiant points out, it isn’t a silver bullet, MFA does considerably lower the risk of account compromise. So at the very least, you should make sure your Global Admin accounts are protected with MFA.

And despite these newly discovered attacks, you shouldn’t be put off from enabling MFA for your organization.