Creating the silver bullet that stops all cyberattacks is quite complicated. The goal posts are always being moved due to rapid advancement by both technology and cybercriminals. Effective cybersecurity is all about layers, combining people, processes, and technology in a way that covers as many angles as possible. Throughout the years, anti-virus platforms, firewalls, endpoint detection and response (EDR) systems and, more recently, multi-factor authentication (MFA) have all been hailed as the next “big thing” in cyber protection, to varying results. While the Microsoft 365 environment (M365) allows organizations to easily enable MFA for all users, MFA isn’t enough to keep your digital assets safe, as was explored in “Key Security Threats Facing Your M365 Environment and How to Protect It,” a recent webinar from the ICS cybersecurity team.
What is multi-factor authentication?
Multi-factor authentication requires the user to provide two or more pieces of evidence of their identity before gaining access to an application or website. MFA goes beyond one-factor authentication (a password), and adds on extra hoops to jump through, like codes or security questions. When MFA is successful, a very small file called a cookie is sent back to that computer to recognize it as a trusted device.
What is a man in the middle cyberattack?
A man in the middle attack (MitM) occurs when a cyber criminal intercepts the cookie generated by MFA, primarily with the goal of stealing login credentials or other personal information. By placing themselves in the middle of two parties, the bad actor becomes recognized as an authorized device and establishes a secure connection. This can happen without anyone at the organization being the wiser, which is when the real trouble starts.
A real-life example of a man in the middle cyberattack
An employee of a small to medium-sized business clicked on an innocent-looking yet malicious link sent by a cyber criminal. The user logged in when prompted and successfully authenticated via MFA. The attacker siphoned off the cookie, which allowed them to establish an undetected, secure connection with the business. Once inside the M365 environment, the attacker was able to look through the comprised user’s email history and determined that the victim was in purchasing. Communicating via the compromised account, the criminal submitted a phony request to accounts payable to pay one of their usual vendors using a “new” ACH routing number. Accounts payable reviewed and satisfied the request, wiring $100,000 to the attacker’s routing number.
In this scenario, the attacker was able to quietly observe and then use the information learned to send what seemed to be a normal, predictable, in-house request to the accounts payable department.
At no point did warning bells go off because, just like in a horror movie, the “call” came from inside the house.
While man in the middle attacks are common, this particular attack was unique because the fraudulent request appeared to come from inside the organization, as opposed from outside.
91% of cyberattacks start with a phishing email
91% of cyberattacks start when someone clicks a link in an email that they shouldn’t. Unfortunately, this is not just a statistic, or a sensationalized story ripped from the headlines. Unfortunately, MFA is not enough of a defense to fend off man in the middle and other cyberattacks. These attacks are problems that the 1nteger team reacts to on a weekly basis in support centers all over the country.
While you may have cybersecurity support now, the odds are that the traffic in and out of your M365 account is not being monitored around the clock. 1nteger CORE offers M365 security monitoring and vulnerability scanning and can help identify cyber threats immediately, before the criminals are “in” and have done serious damage. Our Security Operations Center monitors malicious admin changes, unauthorized email delegate access, failed or unauthorized access attempts, MFA changes, foreign and impossible logins, and suspicious email forwarding rules, 24×7.
The ability to act in real time is essential to be able to identify, isolate and remove threats. Contact us to learn how you can proactively protect your environment within a few days.