Two-factor authentication (2FA) is now relied upon by almost a third of businesses. It requires a user to present more than one method of identification when logging into an account. This prevents cyber-criminals from simply using password credentials to hack a system; instead, extra security layers, such as biometrics (inherence), personal information (knowledge), or a code sent to your phone or email (possession), are required to gain access to an account. But what happens when the 2FA process itself has been compromised?

Darktrace recently observed this exact scenario when a Microsoft 365 account was hijacked and the attacker temporarily changed the authentication settings so that the SMS codes were sent to their phone. The attack attempted to blend into the user activity and remain undetected. However, Darktrace was able to identify the account compromise from subtle anomalies in the user’s behavior, including suspicious logins, unusual email rule creations, and file deletions.

There has been a sharp increase in these SaaS-based attacks, which comes as no surprise as companies increasingly rely on SaaS platforms to conduct their remote business. Microsoft 365 is now used regularly across organizations for email, user management, file storage and sharing. This phenomenon has widened the attack surface and provides great opportunities for cyber-criminals. SaaS platforms are often siloed, and security teams tend to lack visibility over them and struggle to correlate events across these multiple platforms.

Darktrace Cyber AI protects the entire SaaS environment, providing full coverage over Microsoft 365 and Azure platforms. In this case, the customer was using the Microsoft 365 module. Despite the attack bypassing all other security tools, it was identified by Darktrace’s Microsoft 365 connector and investigated by Cyber AI Analyst – the world’s first AI investigation technology, which automatically triages, interprets, and reports on the full scope of security incidents.

How a Microsoft account was compromised through 2FA

An account belonging to a user on the financial team of a company with around 10,000 Microsoft 365 users was recently compromised. The initial infection most likely happened because the employee had clicked on a malicious link in a phishing email.

Darktrace began detecting suspicious logins into the Microsoft 365 account from unusual locations in the US and Ghana. These logins successfully passed the multi-factor authentication (MFA) security, as the attacker had subtly manipulated the user’s details, modifying the registered phone number so the authentication text message went directly to them.

2FA can be compromised using several tactics. It may be hacked via a SIM swapping attack or through the use of a malicious OAuth application. An attacker could even resort to a phishing or social-engineering attack, and work in real time to use the one-time password at the same time as the victim enters it on the phishing page.

‍

Following the unusual logins, Darktrace observed that the attacker had changed email rules for the compromised user’s account, as well as several shared inboxes, including one related to credit control.

During this time, the attacker was seen accessing multiple emails in the compromised user’s inbox. The attacker may have been scouring the inbox for sensitive data, or familiarizing themselves with the user’s normal activity and writing style, enabling them to craft believable phishing emails impersonating the account owner. The attacker also deleted multiple emails for that user in an attempt to cover their tracks.

While the rest of the organization’s security stack was blind to this threat, Darktrace’s Microsoft 365 connector detected the anomalous behavior and launched an automated investigation with Cyber AI Analyst. The security team then responded, before the attacker was able to fully exploit some of the critical shared mailboxes.

Had the hacker been able to continue, they would have been able to access intellectual property (IP) and sensitive financial data about the organization and its customers. This could have served as ammunition for future fraudulent payment requests, which have been known to cost organizations tens of thousands of dollars.

Cyber AI Analyst investigates the threat

Trained on hundreds of expert cyber analysts, Cyber AI Analyst conducts autonomous investigations on the full range of threats – including SaaS account compromise. In this case, it stitched together the anomalous login and user behavior and generated a natural language summary of the incident, ready for review. A human analyst would have taken an average of three hours to do this. Yet Cyber AI Analyst did it in a matter of seconds, delivering a 92% time saving.

Concluding thoughts

The dynamic workforce is more dispersed than ever, relying on SaaS applications and sprawling IT systems to host valuable data. In this digitally globalized world, cyber security must also be ubiquitous, providing full visibility across the digital environment.

This cyber-attack was targeted and sophisticated. The attack had used compromised credentials so no bruteforce activity was seen prior to the successful logins. Furthermore, the attacker passed the two-factor authentication, as well as covering their tracks through deleted emails and blending into legitimate user activity.

Darktrace AI, however, detected the subtle anomalies in the user’s behavior and thus identified that there was an unwanted presence in the environment. Darktrace is able to cover attacks in cloud and SaaS across the entire attack lifecycle – from an initial spear phishing email to full account takeover – even when other security methods, such as 2FA, have been compromised. In these attacks, early detection and response is key. There could have been significant financial and reputational repercussions had Darktrace not detected the attack.

Thanks to Darktrace analyst Brianna Leddy for her insights on the above threat find.