Gigantic Microsoft Hack

I know Microsoft REALLY pushes the authenticator app, but the assumption that if you have access to the device with the app and can just hit "approve" on the screen without having to enter a code is deeply flawed, because some users will just approve it, similar to your phone situation.
there’s ways to intercept a text or to create a dummy gateway(but hackers aren’t going to pay for Twilio). But I can see where the Authenticator app can be compromised at the client level - if someone knows your passcode or pattern(or you have no locking method defined).

hardware MFA is the best method - but also the most cumbersome and people aren’t going to pay for a $20-30 Yubikey/Titan key.
 
there’s ways to intercept a text or to create a dummy gateway(but hackers aren’t going to pay for Twilio). But I can see where the Authenticator app can be compromised at the client level - if someone knows your passcode or pattern(or you have no locking method defined).

hardware MFA is the best method - but also the most cumbersome and people aren’t going to pay for a $20-30 Yubikey/Titan key.

Yup, exactly. While SMS interception is possible, it's typically unlikely unless you are a high value target.

When I speak of the authenticator app being compromised, I mean the "Approval" window that pops up where Microsoft simply asks if it is you, rather than using the rolling 6-digit code. A user can just click "Approve" and allow somebody access, similar to your phone example, whereas forcing the SMS or 6-digit rolling code model prevents that as the attacker would need to gain access to the code and USUALLY the attacks aren't complex enough to include that as part of the process unless, as I noted, the person is a high value target.
 
I'm so glad we got off our on-prem exchange server a few years ago. That thing was such a headache to manage. I'm seriously contemplating about activating 2FA for my company's O365 account also. Most of the company is smart and can easily tell a phishing email, especially since I will never send them a password reset unless I specifically tell them. Our CEO though.....ugh.
 
I figured something was up - # of emails in spam folder has been very high for weeks now.
 
Back
Top