In case you are not aware, there were recent news of attacks bypassing o365 MFA. Microsoft had published a blog to explain the attack below. It seems to suggest the solution is to spend more money to upgrade your Microsoft license to M365 E3/E5 to enable risky sign-in conditional access and subscribe to Microsoft cloud defender?? But why did the company produced a product with serious flaw in the first place? What's your view?
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phish
I don't view this as "produced defective product", but rather as an escalation in an ongoing arms-race. As the adversary continues to evolve, so must the defenses. In this particular example, I have to believe that Microsoft is following their own advice and blocking risky access to login.microsoftonline.com itself, beyond just asking customers to beef-up their IdP.
This scenario makes me glad to have defense-in-depth. I have a SAML/MFA provider for authentication, an email filtering service to detect spam/phishes, and a web filter to detect malicious web sites. All three layers are from different manufacturers, and all would need to fail for this particular attack to succeed.
That said, there is also the theory that one should not let a good crisis go to waste. Now that the trade rags have alerted my bosses to weaknesses in the auth layer, it is a good time to propose tweaking up the nerd-knobs on the email and web layers. And who knows, I might just "forget" to turn them back down after MS has deployed their mitigation.
@denbestenI think if you look across the cloud providers, AWS, Azure and GCP: Azure is based on Active Directory and Federation, but if the controls are immature, and attacked, it will fall.
Both AWS and GCP use JSON ,and in particular they are adding "Attributes" which provide far more refined policies specific to a organisations needs and integration requirements.
Yes, Azure needs to make more investment, but this should not be placed on the clients, it should come from the provider.
Regards
Caute_Cautim