Vulnerabilities in Microsoft Office 365 allow hackers to bypass multifactor authentication

Eli Cyber Security
3 min readSep 18, 2020

Proofpoint security firm specialists have revealed the finding of multiple critical vulnerabilities in multi-factor authentication of cloud environments where is enabled. According to network security course experts, flaws could allow threat actors to bypass multi-factor authentication and access applications like Microsoft 365, committing all kinds of sensitive information.

As if that weren’t enough, flaws could also be exploited to access other Microsoft cloud services, including Azure and Visual Studio, among others.

In their presentation, the researchers mentioned that flaws are likely to have existed for some time, although this has not been entirely proven. They also mention that these flaws exist due to the combination of multiple errors in the implementation of the WS-Trust protocol. In some of the scenarios described, malicious hackers could forge the IP address of a target user to bypass multi-factor authentication using request header manipulation.

Although encountering these faults is complicated, their operation can be very simple and can even be carried out in an automated way. Investigating a potential attack is also complicated, since malicious activities do not appear in the logs or leave traces of activity, as mentioned by network security course specialists.

With regard to the deployment of attacks, it is possible for threat actors to use widely resorted methods, such as phishing or channel hijacking, as described below.

Real-time phishing attacks

Real-time phishing is a much more aggressive variant since threat actors can capture users’ login credentials with automated tools. A popular variant of real-time phishing is the one known as Challenge Mirroring, in which users are asked to complete their login credentials on a malicious website, distributing a real-time attack.

Channel hijacking

This scenario requires a malware variant that can be injected into the victim’s system via Man-in-The-Browser attacks or with web injection to obtain target user information.

Malware variants used in these attacks can extract your phone’s login credentials, as well as intercept text messages and hack an answering machine.

Legacy protocols

These are not the only methods used by threat actors. A more economical and less complex variant abuses legacy protocols present in disused devices or accounts; According to network security course experts, legacy email protocols (POP, IMAP) do not support multi-factor authentication in non-interactive applications, so it is not applied correctly. While multiple organizations have blocked legacy protocols as a security measure, this remains a general problem.

Applicable security mechanisms

The threat is real, so Proofpoint experts recommend implementing the following measures to improve the security of your cloud infrastructure:

  • Automatically block access from locations and risky networks
  • Implement people-centered policies
  • Apply more aggressive controls: multi-factor authentication, access through browser isolation, use of virtual private network (VPN), among others

Implementing these measures will positively impact your organization’s security.

Originally published at on September 18, 2020.