Multi-factor authentication needs to be part of the culture

In a recently divulged case, Microsoft succeeded in closing down two phishing campaigns

These campaigns were closed down, and the domains seized through a court order, but not before millions of pounds had been transferred to accounts posing as those of a ‘trusted party’.

In the first instance, ‘adjacent’ domains were used to imitate Microsoft Office, using generic business themes such as quarterly reports. In the second, the scammers created a fake but highly convincing Microsoft App in an attack type known as ‘consent phishing’. Tom Burt, from Microsoft, explained: ‘After clicking through the consent prompt for the malicious web app, the victim unwittingly granted criminals permission to access and control the victims’ Office 365 account contents, including email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.’

The old tech saw has it that your security is only as strong as your most naïve user. But this attack targeted CEOs and business leaders, who are often busy and distracted, but not generally naïve. Furthermore, there was no request for a password, avoiding the normal suspicion that comes from such requests. Although not disclosed, the method may well have used the OAuth open standard to gain access. OAuth is designed to allow assigned websites and apps access to networks through the use of ‘tokens’, and consent can be granted without a password.

Like many cyber-attacks, consent phishing can be disrupted by multi-factor authentication, and it should be a requirement for access to any cloud service. The fact that it still hasn’t been widely adopted is down to a perception that it is an unnecessary hindrance rather than an essential protection.

Although often unpopular, especially in larger organisations, the evidence is that once embedded use of MFA becomes a normal and accepted part of an organisation’s security culture – much like having an electronic pass. Its inconvenience can be mitigated by other security features, such as setting trusted IP addresses and device pre-registration. Establishing MFA as an organisational standard should be top of any company’s cybersecurity list. It is an acceptance of the fact that, at any given time, anyone in an organisation can be the naïve one. Even the person at the top.

Edward Armitage, CEO, July 2020