Office 365 MFA Bypass Attacks

TL;DR

Attackers can sometimes bypass Multi-Factor Authentication (MFA) in Office 365 using a technique called ‘Necrobrowser’. This involves exploiting old, cached browser sessions. We’ll show you how to identify and prevent this.

Understanding the Attack

The Necrobrowser attack works because when users log into Office 365, their session information can be stored in web browsers even after they’ve logged out or changed passwords. If an attacker gains access to a user’s computer (e.g., through malware), they can potentially use these cached sessions to bypass MFA and access the account.

How to Prevent Office 365 MFA Bypass

1. Enable Conditional Access Policies: This is your strongest defence.
   • Location-based restrictions: Block access from unexpected countries or IP addresses.
   • Device compliance: Require devices to be managed and compliant before granting access.
   • Sign-in risk: Use Microsoft’s sign-in risk detection to challenge users with MFA if their login is considered risky (e.g., unusual location, new device).

   You configure these in the Azure Active Directory portal under Security > Conditional Access.

2. Regularly Review Sign-in Logs: Look for suspicious activity.
   • Check for logins from unfamiliar locations or devices.
   • Monitor for failed login attempts followed by successful ones (this could indicate an attacker trying to brute force access).

   Access sign-in logs in the Azure Active Directory portal under Monitoring > Sign-in Logs.

3. Implement Browser Session Management: Limit how long sessions remain active.
   • Azure AD session lifetime policies: Configure session timeouts to automatically expire inactive sessions. This reduces the window of opportunity for attackers. You can set different lifetimes for different applications.
4. Educate Users about Phishing and Malware:
   • Train users to recognise phishing emails and avoid clicking on suspicious links.
   • Encourage the use of strong, unique passwords.
   • Promote good security practices like keeping software up-to-date.
5. Clear Browser Cache Regularly: While not a complete solution, this can help mitigate the risk.
   • Advise users to clear their browser cache and cookies periodically. The exact steps vary depending on the browser:
     • Chrome: Ctrl+Shift+Delete (or Menu > More tools > Clear browsing data)
     • Firefox: Ctrl+Shift+Delete (or Menu > History > Clear Recent History)
     • Edge: Ctrl+Shift+Delete (or Menu > Settings > Privacy, search and services > Clear browsing data)
6. Use Passwordless Authentication Methods: Consider alternatives to passwords.
   • Microsoft Authenticator app: Provides a more secure way to verify identity.
   • FIDO2 security keys: Offer the highest level of protection against phishing and account takeover.

Checking for Compromised Sessions (Advanced)

You can use PowerShell to investigate potentially compromised sessions, though this requires technical expertise.

Get-AzureADUserSignInLog -Filter "userId eq '[email protected]'" | Where-Object {$_.AppDisplayName -eq "Office 365"} | Select-Object UserPrincipalName, AppDisplayName, IPAddress, Location, CreatedDateTime

Replace ‘[email protected]’ with the user account you want to investigate.