Forum Discussion
O365 MFA Mobile App Security Concern
- I agree that if a user is tricked into giving away their password, it is likely that the same user could also be duped into happily pressing a button on their phone, especially if the memo from IT says "you will soon receive a pop-up box on your phone, don't worry, that's just us, please authorize that." Sigh.
Here are some things that may help you:
1) In the MFA service settings page, uncheck the option for "Notification through mobile app" leaving only "text message to phone" or "Verification code from mobile app"
https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
2) Consider investing in an Azure AD Premium P1 license as this provides an additional conditional access feature where you can block users who are not domain joined, or are not enrolled in Intune... You can also implement IP Fencing rules to block countries that you don't do business with. For example, a lot of phishing is originating from IP addresses associated with Nigeria, so you could block all IP's from logging in from that country.
3) Simulate phishing attacks then follow up with user training
Interesting points you raise, though I haven't tested the specific steps you mention it sounds plausible though it relies on the account's password to be compromised beforehand, as you mentioned for the user to follow through and approve the MFA prompt.
User education is important, part of the rollout could tackle the scenario of looking out for unexpected MFA prompts. Also, there is the option of https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#fraud-alert, though I have only seen that working via phone call. MFA is great but it's not a panacea, for example, it won't particularly help with Illicit Consent Grants, a threat highlighted recently.
Good practices would be also to make use of the https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-azure-portal (users flagged for risk and risky sign-ins), an upcoming feature of Secure Score will allow you to test users, simulating a phishing attack, and more besides.