Jul 05 2023 02:03 PM
Hi,
We use Microsoft 365 Standard and have enabled Security Defaults ( https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-au... ) so thought that our accounts would be as secure as they could be without Conditional Access.
One of our users was Phished and emails were sent from their account. Checking the Interactive sign-in logs I can see the attacker attempted to login from Nigeria (we don't operate from Nigeria) using Chrome on Windows 10 and was denied login due to MFA (which is as expected - part log shown below)
Date (UTC): 2023-05-10T09:12:20Z
Username: email address removed for privacy reasons
Application: Microsoft Authentication Broker
IP address: 105.112.183.103
Location: Lagos, Lagos, NG
Status: Interrupted
Sign-in error code: 50074
Failure reason: Strong Authentication is required
Client app: Browser
Browser: Chrome 112.0.0
Operating System: Windows 10
Multifactor authentication result: User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others
Authentication requirement: Multifactor authentication
Sign-in identifier: email address removed for privacy reasons
Token issuer type: Azure AD
2 minutes after that attempt the attacker then tried using Safari on iOS 14 and this only asked for single factor authentication and let them in, which certainly wasn't expected! From there, they were able to monitor the email in this instance and send / modify emails until we detected them and locked them out. It could of been worse, we were lucky this time. The successful (part) log is shown below:
Date (UTC): 2023-05-10T09:14:27Z
Username: email address removed for privacy reasons
Application: Microsoft Authentication Broker
IP address: 105.112.183.103
Location: Lagos, Lagos, NG
Status: Success
Sign-in error code:
Failure reason: Other
Client app: Mobile Apps and Desktop clients
Browser: Mobile Safari 14.1
Operating System: iOS 14
Multifactor authentication result:
Authentication requirement: Single-factor authentication
Sign-in identifier: email address removed for privacy reasons
Token issuer type: Azure AD
I have logged this with Microsoft but all they are concerned with is that the account is now secure and not the fact that with Security Defaults on and a phished account was accessed without MFA (and from a country we don't operate from).
I have since done some more testing with another account and after revoking sessions and MFA, they could login to the same PC they normally use and access www.office.com without MFA prompts only finally being asked when going into Security Settings in My Account. I can accept as the location this was from is the main office it might be flagged as safe by MS.
So then I used the same account to login from another clients office not associated with us (using a VM there) and again it was able to login to www.office.com without any MFA prompts, which again is quite concerning.
I wondered if anyone had any insights into why this might have happened like this? As far as I can see Security Defaults isn't really doing a very good job.
Thanks
Rob
Jul 06 2023 01:30 AM
Jul 06 2023 02:58 AM
For MFA, still have a chance bypass such as SMB, please aware
Nov 06 2023 12:20 AM
Jan 30 2024 04:22 AM
Apr 15 2024 06:51 PM
@Kat-UK I'm jumping in here too because I have been fighting this myself. I "thought" enabling security defaults would force all users to use MFA for all logins. That appears to not be the case. I help manage several small businesses that have Microsoft 365 Business Standard subscriptions. Over the past few months the admins of those accounts have been notified they needed to turn on Security defaults to protect their users because 99.9% of all compromises could have been prevented with MFA or something like that wording.
They all have enabled security defaults and yes, the admins are all forced through MFA. And yes, all users were forced to enroll in MFA. But in reviewing the login logs (7 day report in Entra) not a single 'normal' user has been forced through the MFA authentication. They all still get the single-authentication path.
Now none of them have the Premium or AAD P1 licenses so using conditional access isn't an option so I am assuming they are going to have to use per user MFA? Seriously, the whole Security Defaults documentation/recommendation stuff is misleading at best and down right confusing in reality.
So I guess at this point the question comes down to "If a customer is only using MS365 Business Standard, to ensure all users must use MFA, is using per user MFA the option they should use?"
Dan