I have MFA, nobody is getting past me?

21 Jul

A down-to-earth look at MFA for Microsoft 365, its weak spots, and some smart ways to stay one step ahead

Multi-Factor Authentication (MFA) is like having a security guard for your Microsoft 365 account and It’s a big step up from just using a password! To get into 365 you must prove who you are in two or more ways, which makes things a lot tougher for anyone trying to break in. But, as more of us use MFA, hackers have also gotten creative at finding ways around it. Knowing how these tricks work and how you can protect yourself, can make all the difference.

What is MFA Anyway?

MFA asks for at least two of these three things to let you into your account:

· Something you know: like a password or PIN

· Something you have: like your phone or a security token

· Something you are: like your fingerprint or face

Mixing these up means it’s much harder for someone to get in unless they really are you.

Can Hackers Get Past MFA?

Unfortunately, yes.

While MFA is way better than just a password, it’s not bulletproof. Hackers don’t give up easily, they’re always finding new ways to beat the system, whether that means tricking people or outsmarting the tech.

How Hackers Sneak Past MFA

Let’s look at some of the sneaky methods hackers use to get around MFA:

1. Phishing Scams

Phishing is still the preferred trick. Hackers send fake emails or texts with links to websites that look real but aren’t. If you enter your password and MFA code there, they grab them and quickly use them on the real site.

2. Man-in-the-Middle Attacks

Here, hackers set up fake sites between you and the real thing. When you log in, you hand over both your password and MFA code, and the hacker forwards them to the legit site. There are even tools out there designed to make this easier for attackers.

3. SIM Swap Scams

If your MFA uses text messages, this one’s a biggie. Hackers may convince your phone company to move your number to a SIM card they control. Suddenly, they get your texts, including MFA codes and can lock you out of your accounts.

4. Malware & Keyloggers

Certain malware can record everything you type or steal MFA codes straight from your device. Really advanced ones even nab one-time passwords or browser tokens as you use them.

5. Session Token Theft

Some hackers go after the “session tokens” that Microsoft 365 uses to keep you logged in. Session tokens can be stolen after you click a malicious link in an email that goes to a fake, but very real looking 365 login page. You login thinking nothing of it and the hacker steals the active session token behind the scenes without any MFA needed and gains full access to your 365 account, emails and data.

How to Make MFA Work Better for You

Don’t worry, there are several ways to make your MFA stronger and safer. Here’s what you or your IT provider can do:

Choose Better MFA Methods

If you can, try to avoid SMS codes. Go for an app like Microsoft Authenticator or Google Authenticator, or a physical key (like YubiKey).

Stay Aware About Phishing

1. Double-check links in emails – Hover your cursor over the link to see the URL it goes to

2. Check the senders address and domain, does it look legit?

3. Look out for poor spelling, poor grammar and poor logo’s in emails.

4. Ask yourself – Why would it be asking me to login to 365, when I’m already logged in?

5. Don’t enter your info on any sites you don’t trust.

6. Be very wary of messages asking for your login details or to act now.

7. If in doubt, contact your IT provider before doing anything

Keep Your Devices and Data Safe

Use a mobile device management product such as Microsoft Intune to keep device software up to date, control access to 365 from phones, tablets and computers and manage apps on these devices.

365 Conditional Access Policies

If you have the required 365 license such as Business Premium or Entra ID P1/P2 you can create powerful conditional access policies. These are security rules that can be applied to control access to Microsoft 365 resources based on various conditions, including minimising the risk of session token theft. Conditional Access Policies are essential for any business using Microsoft 365.

Phishing Awareness Training

Phishing awareness training is essential as it equips you and other employees with the knowledge and skills to identify and avoid phishing attempts. Many security products like Sophos MDR or Microsoft Defender for Office 365 P2 allow IT teams to run simulated phishing campaigns, which try to trick you into opening emails and clicking links. These are controlled, monitored training tools to help raise awareness and keep you protected.

MFA for All

There’s no excuse, you must use MFA, and better still combine it with some or all the methods and tools mentioned. Passwords are not enough!

What’s Next for MFA?

Security never stands still. As hackers dream up new tricks, security experts come up with better ways to stop them. Expect to see more biometrics and smarter systems that can tell it’s you from the way you move or type. The goal: make it super tough for anyone but you to get in.

Bottom Line

MFA is a huge upgrade from just using passwords, but it’s not perfect. Hackers are pretty crafty, especially by targeting people or finding loopholes in the way companies set things up. The more you know and the more careful you are, the safer you will be. Use MFA, but don’t stop there: stay alert, get educated, and keep your defences strong!

If you need help with your Cyber Security or want to know if you could be better protected, get in touch with us today.

020 8770 0007 | info@s50.co.uk

#cybersecurity#itsecurity#sophos#mfa#conditionalaccess#msp#itsupport#managedit#itservices#smart-it#s50#microsoft365#securitypolicies#phishing#phishingawareness

Steve Jarvis