O365 MFA Bypassed via Trusted IP Addition

Attackers can weaken an organization’s security by adding new IP addresses to the trusted IPs list in Office 365. By manipulating the trusted IP configuration, attackers can bypass Multi-Factor Authentication (MFA), gaining unauthorized access to sensitive resources and systems. This technique circumvents a critical security control designed to protect against credential compromise. The activity is often performed after initial access has been gained through other means, such as phishing or credential stuffing. Defenders should monitor changes to trusted IP configurations and investigate any unauthorized modifications promptly. The references suggest this technique is used to maintain persistence in compromised cloud environments.

Attack Chain

1. The attacker gains initial access to an account with sufficient privileges, possibly via credential compromise or phishing.
2. The attacker authenticates to the Office 365 portal using the compromised credentials.
3. The attacker navigates to the Azure Active Directory admin center.
4. The attacker modifies the Conditional Access policies to add a new trusted IP range. This is achieved by setting the StrongAuthenticationPolicy property.
5. The attacker sets the ModifiedProperties{}.Name to StrongAuthenticationPolicy within the O365 management activity logs.
6. The attacker ensures the ModifiedProperties{}.NewValue contains a new IP address range that allows bypass of MFA.
7. The attacker uses a device within the newly trusted IP range to authenticate to Office 365 services.
8. MFA is bypassed, granting the attacker access to sensitive data and systems within the organization.

Impact

Successful exploitation of this technique can lead to significant damage. Attackers can gain unauthorized access to sensitive information, potentially leading to data breaches, financial losses, and reputational damage. By bypassing MFA, attackers can move laterally within the organization’s cloud environment, compromising additional accounts and resources. The number of affected users and the severity of the impact depend on the scope of access granted to the compromised account. Organizations in all sectors that rely on Office 365 are potentially vulnerable.

Recommendation

• Install the Splunk Microsoft Office 365 add-on to ingest the required logs, as mentioned in the “how_to_implement” section.
• Deploy the provided Sigma rule to detect suspicious modifications to trusted IP addresses in O365.
• Investigate any alerts generated by the Sigma rule, focusing on the user (user) and IP address (ip_addresses_new_added) involved.
• Review existing Conditional Access policies and trusted IP configurations to ensure they align with security best practices.
• Implement stricter monitoring and alerting for administrative accounts to detect unauthorized changes to security configurations.