The Inside Job: When Microsoft MFA Fails

In today’s threat landscape, cybersecurity vulnerabilities can originate from a variety of places. An exploitable gap in one vendor’s technology can have serious, cascading repercussions across an entire organization, large or small. This reality is one of the reasons that Okta’s Research and Exploitation (REX) team constantly performs security reviews for all of our code bases, as well as for all of the technologies with which we integrate.

Recently, during one such assessment, Okta REX Security Engineer Andrew Lee discovered a vulnerability in Microsoft’s Active Directory Federation Services (ADFS). The vulnerability allowed potentially malicious actors to bypass Multi-Factor Authentication (MFA) safeguards, as long as they had full access to another user’s credentials on the same ADFS service. This is similar to taking a room key for a building and turning it into a skeleton key that works on every door in the building.

Simply put, if just one employee in a global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO with this vulnerability. Imagine a malicious actor within an organization gaining access to sensitive information such as financial data or company patents. The financial impact could be disastrous to the organization, and could have reverberating implications for their clients, customers or partners. When you understand how most credential phishing attacks work, this exploit gives a potential bad actor an incredible advantage to expand compromises significantly. Corporations rely on MFA to limit credential attacks, which might leave them susceptible to back-of-mind threats such as insider intrusions, and lateral movement within the network that might lead to privilege escalation, among other things.

In the discovery of this vulnerability, REX adhered to Okta’s responsible disclosure process to identify the vulnerability and report it to Microsoft. A fix has been released, but because ADFS is an on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations.

For the full technical breakdown of this vulnerability, check out Andrew’s post on our Security blog.