{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mfa_bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Office 365","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["mfa_bypass","o365","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers can weaken an organization\u0026rsquo;s security by adding new IP addresses to the trusted IPs list in Office 365. By manipulating the trusted IP configuration, attackers can bypass Multi-Factor Authentication (MFA), gaining unauthorized access to sensitive resources and systems. This technique circumvents a critical security control designed to protect against credential compromise. The activity is often performed after initial access has been gained through other means, such as phishing or credential stuffing. Defenders should monitor changes to trusted IP configurations and investigate any unauthorized modifications promptly. The references suggest this technique is used to maintain persistence in compromised cloud environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges, possibly via credential compromise or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Office 365 portal using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Azure Active Directory admin center.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Conditional Access policies to add a new trusted IP range. This is achieved by setting the \u003ccode\u003eStrongAuthenticationPolicy\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eModifiedProperties{}.Name\u003c/code\u003e to \u003ccode\u003eStrongAuthenticationPolicy\u003c/code\u003e within the O365 management activity logs.\u003c/li\u003e\n\u003cli\u003eThe attacker ensures the \u003ccode\u003eModifiedProperties{}.NewValue\u003c/code\u003e contains a new IP address range that allows bypass of MFA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a device within the newly trusted IP range to authenticate to Office 365 services.\u003c/li\u003e\n\u003cli\u003eMFA is bypassed, granting the attacker access to sensitive data and systems within the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to significant damage. Attackers can gain unauthorized access to sensitive information, potentially leading to data breaches, financial losses, and reputational damage. By bypassing MFA, attackers can move laterally within the organization\u0026rsquo;s cloud environment, compromising additional accounts and resources. The number of affected users and the severity of the impact depend on the scope of access granted to the compromised account. Organizations in all sectors that rely on Office 365 are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Splunk Microsoft Office 365 add-on to ingest the required logs, as mentioned in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious modifications to trusted IP addresses in O365.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user (\u003ccode\u003euser\u003c/code\u003e) and IP address (\u003ccode\u003eip_addresses_new_added\u003c/code\u003e) involved.\u003c/li\u003e\n\u003cli\u003eReview existing Conditional Access policies and trusted IP configurations to ensure they align with security best practices.\u003c/li\u003e\n\u003cli\u003eImplement stricter monitoring and alerting for administrative accounts to detect unauthorized changes to security configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-o365-mfa-bypass/","summary":"An attacker modifies trusted IP settings in Office 365 to bypass multi-factor authentication (MFA), potentially leading to unauthorized access and data compromise.","title":"O365 MFA Bypassed via Trusted IP Addition","url":"https://feed.craftedsignal.io/briefs/2024-01-o365-mfa-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Mfa_bypass","version":"https://jsonfeed.org/version/1.1"}