Sometimes, a simple username and password isn’t enough to protect your information. Multi-Factor Authentication, or MFA, is a recommended security practice to protect more sensitive logins. Sometimes referred to as two-factor authentication, or 2FA, this method is commonly used for online banking or remote access of business sites by employees. If you’ve ever had to confirm your identity by receiving a text code on your cell phone, you’ve used MFA. More and more, we are advising our clients to use MFA to protect all access of Office 365.
Why? Because organizations often don’t think they need security services until after they’ve been the victims of a criminal attack. Several of our clients have turned to us for help after multi-thousand-dollar payments were fraudulently rerouted to the wrong bank account by a cyberthief.
Who’s In My Inbox?
One of the newest forms of cyberattack is criminals who hijack email accounts. These attackers are experts at covering their tracks, leaving their victims completely unaware until it’s too late.
The inbox takeover begins when a person’s login credentials are compromised, whether through a successful phishing email, or through purchase on the dark web. Then the thief watches the user’s normal email exchanges and waits for an opportunity. They’re looking at all the players in any given situation: the approver, the executor of any transactions, and the one giving instructions.
Even Worse, Who’s Controlling My Outbox?
When an opportunity arises, the criminal moves to intercept a legitimate transaction—one that is discussed and expected by both parties. They do this by hijacking the email thread, posing as the employee, and sending instructions that will direct the money to a different bank account. Since the email is coming from the actual employee’s mailbox. is complete with the correct signature, and even contains the email thread history, the recipient is none the wiser about the deception. To prevent the real user from finding the fake email in their Sent messages (or any replies to the bogus thread), the thief sets a rule in Outlook to immediately delete emails with that subject line.
This exact situation happened to an engineering firm with a team of about 20. The criminal had obtained the login credentials of the employee handling Payroll. Using information found in the inbox and the same password, he was able to access the third-party payroll provider and re-route all the direct deposits to alternate accounts. Payroll for an entire month disappeared before the scheme was uncovered.
Detection and Prevention
Dealing with these attacks is a two-step process. The first is detection. SOC services provide 24/7 monitoring, and issue alerts when suspicious activity is spotted, such as when a user accesses email from a different device or is logged in from multiple locations at once. Either of these may indicate illegitimate access of an account.
Prevention, the second step, is where MFA enters the picture. On top of regular login credentials, MFA adds an additional physical factor: the user’s smartphone. So even if a criminal gets a user’s access credentials, the information is useless without the phone. There are several approaches to implementing MFA:
- Some third-party applications have MFA capabilities in addition to the normal single-step sign-on process. Examples include Okta, Duo, and Microsoft Azure.
- Office 365 allows you to enable MFA by installing the Microsoft Authenticator application on users’ smartphones. However, some companies hesitate to require that employees install specific applications on personal devices, because if employees aren’t being reimbursed for using their own phones, it can become an HR issue.
- Office 365 also supports native MFA by texting a one-time passcode to the employee’s phone. By not requiring installation of a specific app, this avoids the reimbursement issue. It also allows employees to self-enroll through an eight-step process, which takes less than two minutes to complete. Since the texted code is only required once for each new device or location, the impact of the extra security on the employee is minimized.
Here is Microsoft's support article on how to set up MFA.
SOCBOX offers SOC monitoring, and we also have well-established processes for implementing the various forms of MFA quickly and easily. These are part of our wide range of cybersecurity services which include consulting, compliance audits, penetration testing, social engineering defense, remediation, and SOC-as-a-service. To learn more or schedule a consultation with one of our security engineers, contact us, email firstname.lastname@example.org, or call 877-284-7789.