Forum Discussion
O365 email account compromised despite MFA
Hi all,
So one of my users clicked on a link in a suspicious email. A few days later emails were being sent out to all contacts from their account.
Azure sign-in logs showed that access was from a completely different country/continent. The Authentication requirement said 'Multifactor Authentication', the 'Status' said interrupted.
My question is how despite getting access could they bypass authentication. Nothing came through his authenticator app at any point. The machine is clean of anything malicious on it.
Thank you.
You may check with your condition access rules? Btw, some kind of access not required MFA such as SMB
SlevinKelevra recently attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked, by this they can bypass MFA. Microsoft recently introduced the token protection to protect your users from getting MFA by passed.
check the below to know how to configure it step by step
Token protection in Azure AD Conditional Access - Microsoft Entra | Microsoft Learn