When MFA is Not Enough


Strengthening Your Cloud Security Configurations Against Attackers




With everything going on in the world right now, it is easy as security professionals to become distracted or to become overwhelmed with the mammoth task of protecting organisations within this ever-changing digital world. Rapid change is rarely good for security. For example, we have spent years building the protective measures to digitally secure businesses within the confines of an office.  Yet in the space of a few short months at the beginning of 2020 that fundamentally changed, maybe forever. The majority of the workforce now work remotely and with this change came the requirement for security and IT professionals to protect them.

One notable change the pandemic has brought, is that cloud services have become vital in maintaining normal business operations. However, this forceful change has also been noticed by criminals who are using a variety of techniques to gain access to these services and exploit the at home workforce.

The Cyber Security and Infrastructure Agency in America has noted several recent successful cyber-attacks against various organisation’s cloud services. Clearly, America only presents a microcosm for the more global deployment of such techniques. The attacks are, at this point, unattributed to a specific group but, to a certain extent, that is largely irrelevant – what is clear, however, is that the exploitation of poor cyber hygiene for remote working remain a significant focus for many hacker groups across the globe.


Research shows these attacks most frequently occurred where employees were using a mixture of corporate laptops and personal devices to access the company’s cloud services outside the relatively secure confines of the corporate office. Work is now being done on fragile home Wi-Fi networks, often shared with a Fortnite-obsessed, security-agnostic teenager. Furthermore, despite organisations deploying bolstered or newly acquired security tools to protect their extended environments, pre-existing and poor cyber hygiene practices have allowed attackers to circumvent these tools and penetrate company services.

Attack Techniques

The criminals involved in these attacks were observed to use a variety of techniques to achieve their goal. These included phishing, brute force login attempts, and possibly a “pass-the-cookie” attack— all of which are designed to exploit weaknesses in a target organisation’s cloud security practices.


It was observed attackers used phishing emails with malicious links to harvest the credentials for employees’ cloud service accounts. The emails included a malicious link to what appeared to be a secure message and emails that looked like a legitimate file hosting service account login. After an employee provided their credentials, the attackers then used the stolen credentials to gain access to the user’s cloud service account. It was observed that the attackers’ logins originated from foreign locations (although a proxy or The Onion Router (Tor) could have been used to obfuscate the location). The actors then sent emails from the user’s account to phish other accounts within the organisation. In some cases, these emails included links to documents within what appeared to be the organisation’s file hosting service.


 Forwarding Rules:

It was seen that once within a compromised mailbox that attackers would take advantage of malicious forwarding rules to collect sensitive data. They would modify Keyword Search Rules to search for a victim’s email messages for finance-related keywords and forward them to themselves. They Modified Existing Forwarding Rules to send sensitive emails to their accounts as well as the original account the rule was set up for. They would also create New Forwarding Rules to send sensitive emails to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users.


Most worryingly, it was seen that criminals could successfully sign into a user’s account which had Multi-Factor Authentication (MFA) enabled. It is believed that the criminals may have used browser cookies to defeat MFA with a “pass-the-cookie” attack. This was proved to be a more successful attack vector as more normal brute force attacks and password spray attacks (where username/password combinations are attempted to be ‘guessed’) were often thwarted.

Steps to Keep you Safe

As mentioned at the outset, the challenge of protecting organisation networks from the myriad threats presented is not an insignificant task.  However, with the adoption of a robust approach to good cyber hygiene and the adoption of some specific policies and processes we can put ourselves in a much more resilient position. Below is a list of steps you can take to combat this threat.

  • Implement conditional access (CA) policies based upon your organisation's needs.

  • Establish a baseline for normal network activity within your environment.

  • Routinely review both Active Directory sign-in logs and unified audit logs for anomalous activity.

  • Enforce MFA.

  • Routinely review user-created email forwarding rules and alerts or restrict forwarding.

  • Have a mitigation plan or procedures in place; understand when, how, and why to reset passwords and to revoke session tokens.

  • Secure privileged access users and audit them regularly.

  • Consider a policy that does not allow employees to use personal devices for work. At a minimum, use a trusted mobile device management solution.

  • Resolve client site requests internal to your network.

  • Consider restricting users from forwarding emails to accounts outside of your domain.

  • Allow users to consent only to app integrations that have been pre-approved by an administrator.

  • Audit email rules with enforceable alerts via the Security and Compliance Centre or other tools that use the Graph API to warn administrators to abnormal activity.

  • Implement MFA for all users, without exception.

  • Conditional access should be understood and implemented with a zero-trust mindset.

  • Ensure user access logging is enabled. Forward logs to a security information and event management appliance for aggregation and monitoring so as to not lose visibility on logs outside of logging periods.

  • Use a Conditional Access policy to block legacy authentication protocols.

  • Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.

  • Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.

  • Establish blame-free employee reporting and ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

  • Ensure existing built-in filtering and detection products (e.g., those for spam, phishing, malware, and safe attachments and links are enabled.

  • Organisations using M365 should also consider the following steps.

    • Assign a few (one to three) trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire M365 environment (Mailboxes, Teams, SharePoint, and OneDrive) for evidence of malicious activity.

    • Disable PowerShell remoting to Exchange Online for regular M365 users. Disabling for non-administrative users will lower the likelihood of a compromised user account being used to programmatically access tenant configurations for reconnaissance.

    • Do not allow an unlimited amount of unsuccessful login attempts.

    • Consider using a tool such as Sparrow or Hawk—open-source PowerShell-based tools used to gather information related to M365—to investigate and audit intrusions and potential breaches.