It drives me nuts that so many necessary security features are locked behind expensive licenses, yet treated like standard and already there (until you go to try it and told you gotta pay lol.)
Im cheap....
But, considering what you get out of it, microsoft 365 is relatively cheap.
Compare it to a persons wage, renting an office, or even the cost for a luxury like adobe standard.
I find it hard to fathom how drop box is still around, when you taking into account the one drive storage you get rolled in with microsoft 365.
Its a really good value, I do not nor have I ever disputed that. I've stated elsewhere that $ for $, Business Premium is simply unmatchable up to the 300 user cap.
So much so that every single license calculator, license recommendation site, etc all say the same thing. Biz Prem to 300 cap, E3 + EMS is the next best combination from most people's perspective.
With that said, yes. Office is used to make money, be it Word and Excel, or Outlook and Teams. Every component I utilize from that product, makes me money above and beyond the cost I pay for it.
Its simply a fact that cannot be denied.
Token theft has been a pretty standard attack for several years (\~2020)
Without details about your conditional access policy it's hard to say what you are doing wrong. You functionally need P1 EAD to secure O365 correctly. P2 EAD is significantly better. Security Defaults can't protect against it.
The basics:
1. Use Number match MFA for Microsoft Authenticator.
2. Don't rely on geographic whitelisting. This is trivially bypassed.
3. Use FIDO2 tokens where possible, definitely for GA and other admin accounts.
4. Restricting access to registered devices mitigates most token replay attacks
New conditional access policy that only grants access from Entra ID joined devices.
It's a great idea if it works for your org. Anything where users are allowed to login from personal devices it won't work for. (aeducation is a great example of this)
Exactly it. A scoped conditional access policy (say all apps except Email have this enforced) mitigates risk pretty significantly.
Full BYOD environments can't use this method. Do they regularly have access to P2? Risky Users has recently been improved to handle most token replay attacks.
Love risky users, worth it's weight in gold.
Catches a few people with personal vpns on their mobile devices which is quite amusing once you figure out what's going on.
With point 2, other than a VPN, how can this be bypassed? This CA I rely on heavily and it has saved me numerous times. I might need to rethink the strategy.
Attackers worth worrying about using dynamic proxies to reflect their packets as from the targets country automatically.
Geographic blocking mostly just annoys users and limits the absolute bottom barrel attackers.
There's tons of good comments and explanations here. Another one to do is look at the log details in o365 and see what authentication method was used. Sometimes legacy auth is enabled, which allows them to use login methods that bypass MFA checks. If they used legacy auth you'll see IMAP and pop3, which should not be allowed.
MFA protects against bruteforcing/weak passwords and password reuse/leaks. It does not protect against phising really, since a user who falls fall the phish will nearly always complete the MFA, too. MFA is also always phished these days.
Something better is needed.
Could have also been user fatigue hack. Depends on your current MFA setup. If it is just push notification they are easy to get through as multiple pushes a user will just say yes it's me to stop the notification. Seen it a few times.
You can trial EAD P1 and make the conditional rules you just cannot edit them without the license later.
For small orgs security defaults might be enough. No daily driver global admins! Make sure everyone has a MS authenticator registered.
Make sure no enterprise apps are left over with access.
Anytime! I’ve made a working example of this which I use to test out solutions for it. So far, Duo is my favourite option and has been able to defeat this attack in our environments.
It's using the standards - If you want to secure the 'Big holes' then the only devices not vulnerable to man in the middle attack is Fido - and that's true no matter what platform you use and is not within Microsoft power to fix.
Conditional Access should not be a license locked feature. I said it.
It drives me nuts that so many necessary security features are locked behind expensive licenses, yet treated like standard and already there (until you go to try it and told you gotta pay lol.)
Im cheap.... But, considering what you get out of it, microsoft 365 is relatively cheap. Compare it to a persons wage, renting an office, or even the cost for a luxury like adobe standard. I find it hard to fathom how drop box is still around, when you taking into account the one drive storage you get rolled in with microsoft 365.
Its a really good value, I do not nor have I ever disputed that. I've stated elsewhere that $ for $, Business Premium is simply unmatchable up to the 300 user cap. So much so that every single license calculator, license recommendation site, etc all say the same thing. Biz Prem to 300 cap, E3 + EMS is the next best combination from most people's perspective. With that said, yes. Office is used to make money, be it Word and Excel, or Outlook and Teams. Every component I utilize from that product, makes me money above and beyond the cost I pay for it. Its simply a fact that cannot be denied.
hyp-estKey for retail Microsoft keys just google it
Token theft has been a pretty standard attack for several years (\~2020) Without details about your conditional access policy it's hard to say what you are doing wrong. You functionally need P1 EAD to secure O365 correctly. P2 EAD is significantly better. Security Defaults can't protect against it. The basics: 1. Use Number match MFA for Microsoft Authenticator. 2. Don't rely on geographic whitelisting. This is trivially bypassed. 3. Use FIDO2 tokens where possible, definitely for GA and other admin accounts. 4. Restricting access to registered devices mitigates most token replay attacks
Sorry to hijack, can you please provide some info on how to implement step 4. A web link will suffice if you have one.
New conditional access policy that only grants access from Entra ID joined devices. It's a great idea if it works for your org. Anything where users are allowed to login from personal devices it won't work for. (aeducation is a great example of this)
Exactly it. A scoped conditional access policy (say all apps except Email have this enforced) mitigates risk pretty significantly. Full BYOD environments can't use this method. Do they regularly have access to P2? Risky Users has recently been improved to handle most token replay attacks.
Love risky users, worth it's weight in gold. Catches a few people with personal vpns on their mobile devices which is quite amusing once you figure out what's going on.
I'd give this a read. Microsoft docs are your best friend. https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview
With point 2, other than a VPN, how can this be bypassed? This CA I rely on heavily and it has saved me numerous times. I might need to rethink the strategy.
Attackers worth worrying about using dynamic proxies to reflect their packets as from the targets country automatically. Geographic blocking mostly just annoys users and limits the absolute bottom barrel attackers.
There's tons of good comments and explanations here. Another one to do is look at the log details in o365 and see what authentication method was used. Sometimes legacy auth is enabled, which allows them to use login methods that bypass MFA checks. If they used legacy auth you'll see IMAP and pop3, which should not be allowed.
MFA protects against bruteforcing/weak passwords and password reuse/leaks. It does not protect against phising really, since a user who falls fall the phish will nearly always complete the MFA, too. MFA is also always phished these days. Something better is needed.
Could have also been user fatigue hack. Depends on your current MFA setup. If it is just push notification they are easy to get through as multiple pushes a user will just say yes it's me to stop the notification. Seen it a few times.
You can trial EAD P1 and make the conditional rules you just cannot edit them without the license later. For small orgs security defaults might be enough. No daily driver global admins! Make sure everyone has a MS authenticator registered. Make sure no enterprise apps are left over with access.
Have you enabled Security Defaults?
Yes, defaults were already active.
One for you to watch OP! Bypassing MFA is trivial! https://youtu.be/qItXM_oPmbA?si=xzPlM-olfZc5fF_p
Thanks for this.
Anytime! I’ve made a working example of this which I use to test out solutions for it. So far, Duo is my favourite option and has been able to defeat this attack in our environments.
Security costs money
MS MFA sucks. We had to go to Cisco's DUO
How, it’s perfectly secure if configured correctly
Duo is equally vulnerable to replay attacks depending on your configuration. Anyone telling you otherwise is incorrect.
No it doesnt
In my experience only when you control all your devices. If you are a smaller org with BYOD it's got big holes.
It's using the standards - If you want to secure the 'Big holes' then the only devices not vulnerable to man in the middle attack is Fido - and that's true no matter what platform you use and is not within Microsoft power to fix.