Multi Factor Authentication (MFA) is widely considered to be one of the most important things you can do to protect your online accounts from hackers.

That is because cyber criminals are increasingly using Phishing attacks to steal passwords. MFA acts as an additional barrier as it requires the user to verify that the login attempt was really made by them. That verification is often via an SMS message or an Authentication App.

While the hacker may well have your password, they don’t have the verification message or physical device and thus they can’t get very far.

MFA is very effective against most breach attempts but, recently, we are seeing sophisticated attacks where hackers are not only stealing passwords but your MFA verification too.

How are they doing this?

  1. Hackers are conducting a simple Phish – often sending emails pretending to be from colleagues or other trusted parties.  The Phish takes them to a mock login page and asks them to submit their credentials (username and password).
  2. If the user falls prey to the Phish and enters their credentials, the hacker then attempts to login to the users Microsoft 365 account, this triggers the Multi Factor Authentication verification approval request.
  3. The user (who expects the request) either approves the request via Authentication App or enters their legitimate verification code into a fake MFA code entry page presented to them by the hacker.
  4. The hacker then has full access to the users legitimate Microsoft 365 portal.  When in the portal they are often able to setup their own MFA device, thus having ongoing access.

It seems simple but requires a few stars to align – firstly your user to fall for a Phish, convinced that they are doing the right thing for a “friend or colleague” and then, as MFA codes are only valid for seconds, the hackers having the right tools and timing to respond.

What are the hackers after?

While always financially driven the hackers aren’t necessarily after what you would think. The more senior the user, the more likely they will have information (and access) that will be of interest to a hacker. One of the most common activities we are seeing is hackers spending weeks or months reviewing emails, seeking to understanding key commercial relationships to conduct highly targeted financial attacks which if successful could cause significant commercial and reputational damage to your organisation as a participant.

Like an Onion, it’s all about layers

No single layer of protection will keep your organisation safe online. It’s about putting various layers of security in place so that if one is breached – there is another in the pathway of the hacker.
Our annual technology Roadmaps make recommendations regarding security measures appropriate to your situation. We know that these measures are often a compromise – they may well slow down your users or require them to change their way of working. However, if organisations are to protect themselves these measures, while difficult, are necessary.

Prepare your team for the attacks that will come

A hyper vigilant team is your first line of defence against an attack, but are they ready to spot a Phish?  Here is our advice to your users;

  • Adopt a “proceed with caution” approach to all emails.
  • Check the senders email address – is it a legitimate email? Beware of spelling mistakes in particular
  • Upon receiving an email containing a link, an attached file or link to a shared document (OneDrive/SharePoint) stop and ask yourself – did you expect to receive an email/file from this person? If not, a quick call or instant message to them to check that the email is legitimate before opening.
  • If there is a delay between the time you submit your credentials (username and password) and receiving the MFA authentication approval request, there is a real chance you have been Phished, do not authenticate.


Everyone makes mistakes

As the leaders in our organisation who are wearing the “technology hat”  we must assume that our users will make mistakes – we’re all human after all. The more levels of protection we can put around our teams, our technology and data, the less likely we will experience the complex, expensive and potentially damaging costs of remediation in the event of a breach.

If you’d like to revisit your security posture and understand what other “layers we could put on your onion”, talk with us today.