CyberSecurityBoard
Sponsor Register Login

Researchers Find Way to Bypass Phishing-Resistant MFA in Microsoft Entra ID - Cyber Security News

Cybersecurity researchers have uncovered a sophisticated technique to bypass Microsoft’s phishing-resistant multi-factor authentication (MFA) by exploiting the device code authentication flow and Primary Refresh Tokens (PRTs). The current advancement focuses on reliably forcing MFA during authentication, making it possible to execute the full attack chain against environments with stringent security policies. “After a quick test our assumption was correct!” the researchers noted, referring to their discovery that the “amr_values=ngcmfa” parameter could force users to perform MFA during authentication flows. Researchers found they could force MFA during authentication by manipulating request parameters, regardless of existing security policies. As organizations increasingly rely on passwordless authentication methods like Windows Hello, this research highlights the importance of a defense-in-depth approach rather than depending solely on phishing-resistant MFA. When users complete authentication (including MFA), attackers obtain authorization codes that can be exchanged for access and refresh tokens. Microsoft’s design prevents administrators from viewing their own authentication methods in Entra ID, requiring another admin to check for suspicious activity. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The technique was initially developed for an internal “EntraIDiots” Capture The Flag (CTF) competition, where participants had to overcome a challenge that only permitted access using phishing-resistant MFA. The compromised authentication method doesn’t appear in the user’s account page that lists other authentication methods. “From a user perspective it’s quite difficult to detect that a new WHFB key was added,” the researchers explained. Due to limitations in Entra ID’s audit logging capabilities, the research team encountered difficulties correlating interactive sign-ins with device creation or WHFB key registration. This technique builds upon previous work by security researcher Dirk-jan Mollema, who demonstrated similar PRT phishing attacks in 2023.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 01 May 2025 11:45:08 +0000


Cyber News related to Researchers Find Way to Bypass Phishing-Resistant MFA in Microsoft Entra ID - Cyber Security News

Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
1 year ago Techtarget.com
How to secure on-prem apps with Entra Application Proxy - If your internal web applications are still internet-facing, then it's time to move away from turning your firewall into Swiss cheese just to externalize apps for your users. To reduce the attack surface, a traditional method, such as a VPN, has its ...
1 year ago Techtarget.com
Researchers Find Way to Bypass Phishing-Resistant MFA in Microsoft Entra ID - Cyber Security News - Cybersecurity researchers have uncovered a sophisticated technique to bypass Microsoft’s phishing-resistant multi-factor authentication (MFA) by exploiting the device code authentication flow and Primary Refresh Tokens (PRTs). The current ...
1 month ago Cybersecuritynews.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
What is adaptive multifactor authentication? - Adaptive multifactor authentication is a security mechanism intended to authenticate and authorize users through a variety of contextual authentication factors. Adaptive MFA essentially poses different sets of authentication requirements based on the ...
1 year ago Techtarget.com
Misconfigured MFA Increasingly Targeted by Cybercriminals - In the first quarter of 2024, nearly half of all security incidents our team responded to involved multi-factor authentication issues, according to the latest Cisco Talos report. A quarter of these incidents were caused by users accepting fraudulent ...
11 months ago Securityboulevard.com
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
8 months ago Aws.amazon.com
Don't phish for deals this holiday season - This season is also a prime opportunity for attackers seeking to capitalize on unsuspecting individuals, employing identity-based cyberattacks such as phishing to compromise users' credentials and take control of their accounts. While education on ...
1 year ago Securityboulevard.com
Threat Actors Bypass MFA Using AiTM Attack via Reverse Proxies - Multi-factor authentication (MFA) has long been touted as a robust security measure against phishing attacks, but sophisticated threat actors have developed new techniques to circumvent these protections. Rather than simply creating fake landing ...
1 month ago Cybersecuritynews.com
MFA and supply chain security: It's no magic bullet - With attackers increasingly targeting developer accounts and using them to poison software builds, manipulate code, and access secrets and data, development teams are under pressure to lock down their development environments. Attackers are targeting ...
1 year ago Securityboulevard.com
Microsoft365 Themed Attack Leveraging OAuth Redirection for Account Takeover  - Threat researchers at @Proofpoint are tracking two ongoing, highly targeted campaigns combining OAuth redirection mechanisms with brand impersonation techniques, malware proliferation and #Microsoft365 themed #credential phishing for #Account ...
3 months ago Cybersecuritynews.com
MFA vs 2FA: Which Is Best for Your Business? - If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication or two-factor authentication provide an additional safeguard against a breach. MFA uses authentication factors such as a pin, an SMS code, an ...
1 year ago Techrepublic.com
Iranian Hackers Developed a New Backdoor to Hack Windows - Peach Sandstorm, an Iranian Hackers group, targets diverse sectors globally, and this group is linked to:-. Using password spray campaigns, Peach Sandstorm exhibits opportunistic behavior, with a history of relying on this tactic. This custom ...
1 year ago Cybersecuritynews.com
Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users - Microsoft has acknowledged a recent issue that triggered widespread alerts in its Entra ID Protection system, flagging user accounts as high risk due to supposed credential leaks on the dark web. The alerts have been attributed to a combination of an ...
2 months ago Cybersecuritynews.com
Microsoft to start enforcing Azure multi-factor authentication in July - Starting in July, Microsoft will begin gradually enforcing multi-factor authentication for all users signing into Azure to administer resources. After first completing the rollout for the Azure portal, the MFA enforcement will see a similar rollout ...
1 year ago Bleepingcomputer.com Black Basta
Microsoft will roll out MFA-enforcing policies for admin portal access - Microsoft will soon start rolling out Conditional Access policies requiring multifactor authentication from administrators when signing into Microsoft admin portals such as Microsoft Entra, Microsoft 365, Exchange, and Azure. The company will also ...
1 year ago Bleepingcomputer.com
Hackers Exploiting Legacy Protocols in Microsoft Entra ID to Bypass MFA & Conditional Access - These tactics allowed threat actors to bypass Multi-Factor Authentication (MFA) and Conditional Access policies-two critical security measures organizations rely on to protect their digital assets. Legacy authentication protocols, including BAV2ROPC, ...
1 month ago Cybersecuritynews.com
"Microsoft’s Secure Future Initiative" Biggest cybersecurity Project in Its History - Led by Charlie Bell, Executive Vice President of Microsoft Security, the initiative has mobilized the equivalent of 34,000 engineers working full-time for 11 months to bolster security for Microsoft, its customers, and the broader industry. Following ...
2 months ago Cybersecuritynews.com
‘SessionShark' - New Toolkit That Evades Microsoft Office 365 MFA - The toolkit implements specialized “human verification techniques” to filter out automated security scanners and research bots, ensuring the phishing content remains hidden from security systems. A sophisticated new phishing toolkit named ...
1 month ago Cybersecuritynews.com
Microsoft Breach - How Can I See This In BloodHound? - On January 25, 2024, Microsoft announced Russia's foreign intelligence service breached their corporate EntraID environment. We reviewed the information Microsoft's team provided in their post which contained details significant enough to explain ...
1 year ago Securityboulevard.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
1 year ago Techrepublic.com
Hackers Using Advanced MFA-Bypassing Techniques To Gain Access To User Account - This code snippet shows how attackers can intercept an authentication response and modify critical status flags to falsely indicate MFA verification has been successfully completed. These advanced techniques, which exploit vulnerabilities in ...
3 months ago Cybersecuritynews.com
The Rise of Cyber Insurance - What CISOs Need to Consider - Cyber insurance offers not just financial protection against potentially devastating cyber incidents but also provides frameworks for improving security posture, access to specialized resources, and support during crisis scenarios. Beyond financial ...
2 months ago Cybersecuritynews.com
Microsoft Security Copilot improves speed and efficiency for security and IT teams - First announced in March 2023, Microsoft Security Copilot-Microsoft's first generative AI security product-has sparked major interest. With the rapid innovations of Security Copilot, we have taken this solution beyond security operations use cases ...
1 year ago Microsoft.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)