How attackers can bypass phishing-resistant MFA | Use these protections!
Рет қаралды 4,254
Күн бұрынIn previous videos, I’ve talked about how Passkeys are one of the strongest forms of MFA that you could roll out in an organization given that they are considered phishing resistant and can protect us against threats like a man in the middle attack. It’s unlikely that many of us have reached a maturity level where we can look at rolling out passkeys to our customers, but I wanted to make this video to show how users can still be breached in Microsoft 365 even with this form of MFA in place. The example I am going to show of the breach is something I have seen in real life from an organization that I have consulted with in the past. In their case, they transferred 530k to a fraudulent bank account after having multiple users compromised within the organization. I will also share my thoughts on how you can protect yourself from this attack leveraging various security protections native in Microsoft 365.
🚀 What You'll Learn: Real-Life Applications: See firsthand how attackers can bypass even phishing resistant MFA via a pass-the-cookie attack.
💡 Why Read? Identify protections you can put into place today that exist in your native licensing with Microsoft 365
Blog: tminus365.com/...
What I cover:
-Cookie Hijacking in M365
-Persistence techniques
-Inbox rule manipulation
-Conditional Access Policy protections
-Connecting alerts to PSA
____________________
Give this video a thumbs up if you enjoyed watching 👍
#microsoft #cybersecurity #microsoftsecurity
Thanks for watching the video How attackers can bypass phishing-resistant MFA | Use these protections!
@fbifido2 3 ай бұрын
or why can't the session token be TPM bound, if the TPM that helps create that token is missing or disable, then that session token should be unusable.
@fbifido2 3 ай бұрын
@24:39 - Why can't the session token be ip bound, so if the session ip change it expire the session token??? even i don't like this idea, because if the hacker is on the same network.
@Sergio-Here-In-Community 3 ай бұрын
Amazing material... This is real case scenarios. microsoft focus a lot in PPT or how the feature works, however, you are teaching us why we should configure it... Excellent, I loved that explanation about pass-the-cookie. I hope in the future you can talk about team phishing, Anonymous access in Teams, DC Sync attack for Entra ID connect, app consent by users, who can invite guest, what a guest can do, attack surface reduction rules, Windows Hello, LAPS, and the other kind of attack that we should protect in our organization. I don't miss any of your videos, that help me to reinforce and improve my level in Microsoft. thanks for your support.
@Sergio-Here-In-Community Ай бұрын
Hello Nick, If the end-user is using MFA Phishing resistant FIDO2 or Passkey, Will the pass-the-cookie work? Will the attack compromise the token that had being issue issing any of this verification methods? My understanding is this attack will work in the token is issued by MFA authenticator push notification.
@Sergio-Here-In-Community 3 ай бұрын
Minute: 20:19 related life time for the token 1 hours, you told us about session persistent to never, however, I believe you were talking about sign-in frequency. the sign-in frequency limit the life-time of the access token. Session persistance to never: if the browser is closed the session token is removed, then, if the user open again the browser, he will need to reauthenticate. Can you please help us with that clarification. best regards,
@DhavalBrahmbhatt2627 3 ай бұрын
so what I learned is that there is actually not protection against session cookie replay attack. One thing that boggles my mind is how easy it is and how ridiculously it laughs in the face of all the protections IT admins can put in place. After all this, your users are still the weakest link and you have nothing to protect yourselves against. The other thing is, (again because I don't understand how cookies work), why the hell are these cookies in plain text? Shouldn't they be encrypted?
@DailenGunter 3 ай бұрын
I've always wondered about this myself. If I use powershell to create a secure string, that string tied that machine because of how it's encrypted. Why isn't session authentication info handled the same way?
@fbifido2 3 ай бұрын
@@DailenGunter Because, if they did it properly the big data mining companies would not like it, how are they going to get access to your data if they can't see it? eg: look at email, they created DKIM, but they don't want to use it to encrypt your email, because if they did that, how are they going to read your email messages. BTW: if they did use DKIM to encrypt emails, they would do it so that everyone can un-encrypt it.
@Sergio-Here-In-Community 3 ай бұрын
Minute 28:31, what is a PSA tool? Is defender portal, or Sentinel or what is a PSA tool that will receive the alerts?
@DailenGunter 3 ай бұрын
Some common PSAs are autotask and ConnectWise
@t-minus365 3 ай бұрын
it stands for professional service automation tool, used by MSPs to triage tickets/alerts. Common example is ConnectWise or Kaseya. Lil different then defender or sentinel but needed given they want to receive alerts from across many m365 tenants.
@fbifido2 3 ай бұрын
@33:20 - you need to go do a full 120min video on how to create policies to: - stop MFA bypass or workaround - stop passkey bypass or workaround - how to create a master policy, that no other policy can bypass or supersede - how to make a policy that prevent any Admin changes in Azure unless it's from my Company Public STATIC IP-Address. - how to see if there are any policy conflict in my tenant
T-Minus365
Рет қаралды 1,9 М.
freeCodeCamp.org
Рет қаралды 234 М.
T-Minus365
Рет қаралды 2,3 М.
David Bombal
Рет қаралды 66 М.