Almost every compromised Microsoft account lacks multi-factor authentication, but few organizations enable it even though it’s available, according to Microsoft.
In Microsoft’s new Cyber Signals report, the company says that as at December 2021, just 22% of customers that use is cloud-based identity platform Azure Active Directory (AAD) have implemented “strong identity authentication”, which includes multi-factor authentication (MFA) and passwordless solutions, such as the Microsoft Authenticator app.
MFA is one of the best defenses against remote phishing attacks as logging in to an Office 365 account with a compromised password requires that the attacker also has physical access to a second factor, like an account owner’s smartphone.
As Microsoft has previously highlighted, if you do have MFA enabled, you’re almost guaranteed to be protected. Last year it revealed that 99% of compromised Microsoft accounts did not have MFA enabled.
One potential technical obstacle is that some organizations still have Office 365 “basic authentication” enabled, which doesn’t support MFA. Microsoft’s “modern authentication” enables MFA. Microsoft will disable basic authentication by default in October 2022 and would have done so last year were it not for the pandemic’s demands on remote access for employees.
The Cyber Signals report also highlights the scale of the onslaught on account identities. Microsoft says it blocked tens of billions of phishing attempts and automated password-guessing attacks, such as password spraying, last year. The attacks were from state-sponsored actors, such as Nobelium, the group behind the SolarWinds software supply chain attack, and ransomware affiliates.
“From January 2021 through December 2021, we’ve blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365,” notes Vasu Jakkal Corporate Vice President, Security, Compliance and Identity in a blogpost.
Clearly, however, some phishing emails and attacks still get through and that means some 78% of AAD customers without strong authentication are exposed to breaches that almost no clients with MFA enabled are.
The Cyber Signals report offers a snapshot of these threats in 2021 as well some context to what threat actors are employing these attack techniques. As the report notes, “ransomware thrives on default or compromised credentials”. Microsoft recommends enabling MFA on all end user accounts and prioritizing it for executive, administer and other privileged accounts.