https://community.isc2.org/t5/Threats/Microsoft-o365-MFA-not-secured/m-p/52044#M593 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/311867713">@denbesten</a>I think if you look across the cloud providers, AWS, Azure and GCP:&nbsp; Azure is based on Active Directory and Federation, but if the controls are immature, and attacked, it will fall.&nbsp;</P><P>&nbsp;</P><P>Both AWS and GCP use JSON ,and in particular they are adding "Attributes" which provide far more refined policies specific to a organisations needs and integration requirements.</P><P>&nbsp;</P><P>Yes, Azure needs to make more investment, but this should not be placed on the clients, it should come from the provider.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Tue, 19 Jul 2022 04:11:19 GMT Caute_cautim 2022-07-19T04:11:19Z https://community.isc2.org/t5/Threats/Microsoft-o365-MFA-not-secured/m-p/52022#M590 <P>In case you are not aware, there were recent news of attacks bypassing o365 MFA.&nbsp; Microsoft had published a blog to explain the attack below.&nbsp; It seems to suggest the solution is to spend more money to upgrade your Microsoft license to M365 E3/E5 to enable risky sign-in conditional access and subscribe to Microsoft cloud defender?? But why did the company produced a&nbsp; product with serious flaw in the first place?&nbsp; What's your view?</P><P>&nbsp;</P><P><A href="https://www.helpnetsecurity.com/2022/07/13/office-365-phishing-mfa/" target="_blank">Phishers steal Office 365 users' session cookies to bypass MFA, commit payment fraud - Help Net Security</A></P><P>&nbsp;</P><P><A href="https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phish" target="_blank">https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phish</A></P> Sat, 16 Jul 2022 03:43:32 GMT https://community.isc2.org/t5/Threats/Microsoft-o365-MFA-not-secured/m-p/52022#M590 CY 2022-07-16T03:43:32Z https://community.isc2.org/t5/Threats/Microsoft-o365-MFA-not-secured/m-p/52024#M591 <P>I don't view this as "produced defective product", but rather as an escalation in an ongoing arms-race.&nbsp; As the adversary continues to evolve, so must the defenses.&nbsp;In this particular example, I have to believe that Microsoft is following their own advice and blocking risky access to login.microsoftonline.com itself, beyond just asking customers to beef-up their IdP.&nbsp;&nbsp;</P><P>&nbsp;</P><P>This scenario makes me glad to have defense-in-depth.&nbsp; I have a SAML/MFA provider for authentication, an email filtering service to detect spam/phishes, and a web filter to detect malicious web sites.&nbsp; All three layers are from different manufacturers, and all would need to fail for this particular attack to succeed.</P><P>&nbsp;</P><P>That said, there is also the theory that one should not let a good crisis go to waste.&nbsp; Now that the trade rags have alerted my bosses to weaknesses in the auth layer, it is a&nbsp;good time to propose tweaking up the nerd-knobs on the email and web layers.&nbsp; And who knows, I might just "forget" to turn them back down after MS has deployed their mitigation.</P> Sun, 17 Jul 2022 06:10:13 GMT https://community.isc2.org/t5/Threats/Microsoft-o365-MFA-not-secured/m-p/52024#M591 denbesten 2022-07-17T06:10:13Z https://community.isc2.org/t5/Threats/Microsoft-o365-MFA-not-secured/m-p/52044#M593 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/311867713">@denbesten</a>I think if you look across the cloud providers, AWS, Azure and GCP:&nbsp; Azure is based on Active Directory and Federation, but if the controls are immature, and attacked, it will fall.&nbsp;</P><P>&nbsp;</P><P>Both AWS and GCP use JSON ,and in particular they are adding "Attributes" which provide far more refined policies specific to a organisations needs and integration requirements.</P><P>&nbsp;</P><P>Yes, Azure needs to make more investment, but this should not be placed on the clients, it should come from the provider.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Tue, 19 Jul 2022 04:11:19 GMT https://community.isc2.org/t5/Threats/Microsoft-o365-MFA-not-secured/m-p/52044#M593 Caute_cautim 2022-07-19T04:11:19Z