Microsoft 365


Active Directory


Windows Server


Chance to win $250 in Petri 2023 Audience Survey


This Week in IT

Secure Microsoft 365 Now to Protect Against New MFA Bypass Trick

Russell Smith


Cybersecurity company Mandiant has discovered that an elite group of Russian hackers, otherwise known as the APT29 group, is using a new technique to target enterprise networks. The researchers warns that the hackers are exploiting multifactor authentication (MFA) to gain unauthorized access to dormant Microsoft accounts.

Accessing dormant Microsoft 365 accounts

MFA is a security protection used in addition to passwords. It requires users to have something in their possession, usually a verified authenticator device like a security token or authenticator app on a mobile phone. Providing something you have as well as something you know, like a password, considerably reduces the risks of account compromise.

Before a user can use MFA to log into their account, they need to enroll for the service. The APT29 group is abusing the self-enrollment process for MFA in Azure AD, which is the identity management service used by M365 and other online services, and other identity management platforms.

The hackers managed to access a list of emails and guess the passwords of the accounts using a brute force attack. Microsoft’s risky sign-in protections weren’t activated because the hackers are launching the attack from Azure virtual machines, which use a range of IP addresses assigned to Microsoft, using already compromised accounts or purchasing access to the VMs. So, it’s difficult for Microsoft’s detection systems to identify the behaviour as risky.

And because there are no additional enforcements on the MFA enrollment process configured by default, once the hackers know the account password, they are able to configure MFA and log into the account. In short, anybody who manages to get an email address and password can complete MFA enrollment from any location and any device, providing that they are the first person to do it.

Preventing attacks that abuse the MFA self-enrollment feature

While this new type of attack, where hackers use dormant accounts to get access to your organization might seem alarming, there are some things you can do to prevent it.

  1. You can apply a conditional access policy to restrict the registration of MFA devices to only trusted locations or trusted devices. But while MFA can be used to protect accounts on all AAD tiers, conditional access policies are only available to organizations with Premium P1 and P2 subscriptions.
  2. Alternatively, you can also require MFA to enroll MFA. You can get your help desk to issue users with a Temporary Access Pass when they first join. The pass can be used for a limited time to log in, bypass MFA, and register a new MFA device.


Microsoft recommends using MFA. And while, as Mandiant points out, it isn’t a silver bullet, MFA does considerably lower the risk of account compromise. So at the very least, you should make sure your Global Admin accounts are protected with MFA.

And despite these newly discovered attacks, you shouldn’t be put off from enabling MFA for your organization.

More in This Week in IT

Tauri logo

Is Tauri the Future of Cross-Platform Apps?

Feb 3, 2023 | Russell Smith

Windows 11

What Users Really Think About Windows 11

Jan 27, 2023 | Russell Smith


The Darkside of ChatGPT

Jan 20, 2023 | Russell Smith

Network Security

Windows 12 - A.I. Is Going To Reinvent Everything You Do

Jan 13, 2023 | Russell Smith

Microsoft Edge

Open Tab Overload? Here's How to Conquer It

Jan 6, 2023 | Russell Smith

This Week in IT Episode 48

Tech Year in Review - The Best and Worst of 2022

Dec 28, 2022 | Russell Smith

Most popular on petri

Article saved!

Access saved content from your profile page. View Saved