Enable that MF-ing MFA: 1.2 million Azure Active Directory accounts compromised every month, reckons Microsoft

'Really high number' could be fixed by using multi-factor authentication

Microsoft reckons 0.5 per cent of Azure Active Directory accounts as used by Office 365 are compromised every month.

The Window giant's director of identity security, Alex Weinert, and IT identity and access program manager Lee Walker revealed the figures at the RSA conference last month in San Francisco.

"About a half of a per cent of the enterprise accounts on our system will be compromised every month, which is a really high number. If you have an organisation of 10,000 users, 50 will be compromised each month," said Weinert.

It is an astonishing and disturbing figure. Account compromise means that a malicious actor or script has some access to internal resources, though the degree of compromise is not stated. The goal could be as simple as sending out spam or, more seriously, stealing secrets and trying to escalate access.

Password spray attacks account for 40% of compromised accounts

Password spray attacks account for 40% of compromised accounts

How do these attacks happen? About 40 per cent are what Microsoft calls password spray attacks. Attackers use a database of usernames and try logging in with statistically probable passwords, such as "123" or "p@ssw0rd". Most fail but some succeed. A further 40 per cent are password replay attacks, where attackers mine data breaches on the assumption that many people reuse passwords and enterprise passwords in non-enterprise environments. That leaves 20 per cent for other kinds of attacks like phishing.

The key point, though, is that if an account is compromised, said Weinert, "there's a 99.9 per cent chance that it did not have MFA [Multi Factor Authentication]". MFA is where at least one additional identifier is required when logging in, such as a code on an authenticator application or a text message to a mobile phone. It is also possible (and preferable) to use FIDO2 security keys, a feature now in preview for Azure AD. Even just disabling legacy authentication helps, with a 67 per cent reduction in the likelihood of compromise.

MFA is only possible with what Microsoft calls modern authentication such as OAuth 2.0. Legacy authentication asks only for username and password. Even when the credentials are sent over an encrypted connection, it is more vulnerable thanks to techniques such as those described above.

SMTP-enabled users have the highest chance of being compromised

SMTP-enabled users have the highest chance of being compromised

Microsoft was able to correlate account compromises with the protocols for which a user has legacy authentication enabled. If SMTP is enabled, the chance of being compromised rises to 7 per cent, RSA attendees were told.

How many users have MFA enabled? Weinert and Walker said the global adoption rate is currently around 11 per cent, accounting for the high rate of account compromise.

Disable legacy authentication, break stuff

The solution seems simple: disable legacy authentication for all users. Microsoft itself set out to do this for its own employees in September 2018. A test with a small number of users was successful so for the next phase of the rollout it disabled legacy authentication for its entire sales team, around 60,000 users. "In the middle of the night we started getting calls," the speakers said.

The problem turned out to be a telesales application which had a backend component using a single account. The login for this component used legacy authentication. The result was to break the application for everyone, causing serious business disruption, defined within the company as a "severity 1" meltdown. The new policy was rolled back.

The team started to keep a 90-day sign-in history to identify legacy authentication logins. They discovered an array of tools and utilities in use. Even the tools used to build Windows and Office depended on legacy authentication. They began the slow process of identifying the owners of these tools and working with them to update the authentication. By March 2019 they had turned off legacy authentication for 94 per cent of users, and the figure is nearer 100 per cent today. According to Weinert and Walker, who showed live monitoring graphs, Microsoft receives 1.5 million attempted legacy authentication logins every day, which are now blocked.

What's next for the rest of us?

The statistics are compelling. Disabling legacy authentication and enforcing MFA looks like a wise move for any organisation that cares about security. It is hard, though, as Microsoft's own experience shows. Fixing applications is problematic, particularly since you may not have the code. It is also a little more complex for developers, requiring token exchange in place of simply submitting username and password. Note too that the most common attacks can be prevented simply by using long, unique and unguessable passwords.

At RSA, Microsoft showed tools for disabling legacy authentication and enforcing MFA in Azure AD. The key settings are in the Conditional Access section of Azure AD, where you can set policies. A new feature in preview is to set a policy to report-only. This means that the policy is not enforced, but you get a log of sign-ins that would have failed, so you can fix them without business disruption.

Basic security defaults can be set without Azure AD Premium

Basic security defaults can be set without Azure AD Premium

There is a snag. Conditional Access Policies are a feature of Azure AD Premium at extra cost. Many organisations therefore cannot use them. For them, Microsoft offers a feature called "security defaults", which is in the Properties section of the Azure AD dashboard. When enabled, this enforces use of the Microsoft authenticator app for iOS or Android and disables legacy authentication. This is enabled by default in Office 365 tenants created after October 22, 2019. It is all or nothing, however, and if you upgrade to using conditional access policies instead, you have to disable security defaults.

From October 2020, Microsoft is disabling legacy authentication in Exchange, which will also break some applications, but may also give organisations a nudge towards MFA.

The bottom line is that any organisation tolerating an account compromise rate of 0.5 per cent a month or more is a long way from where it should be regarding security. Disabling legacy authentication helps and enforcing MFA helps even more. ®

Similar topics

Broader topics

Other stories you might like

  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

    Continue reading
  • Sniff those Ukrainian emails a little more carefully, advises Uncle Sam in wake of Belarusian digital vandalism

    NotPetya started over there, don't forget

    US companies should be on the lookout for security nasties from Ukrainian partners following the digital graffiti and malware attack launched against Ukraine by Belarus, the CISA has warned.

    In a statement issued on Tuesday, the Cybersecurity and Infrastructure Security Agency said it "strongly urges leaders and network defenders to be on alert for malicious cyber activity," having issued a checklist [PDF] of recommended actions to take.

    "If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic," added CISA, which also advised reviewing backups and disaster recovery drills.

    Continue reading

Biting the hand that feeds IT © 1998–2022