Advanced BEC Campaign Targets Microsoft 365 with MFA Circumvention

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 17, 2025 3 min read

Advisory: Persistent MFA Circumvention in an Advanced BEC Campaign on Microsoft 365 Targets

Mitiga has identified a sophisticated Business Email Compromise (BEC) campaign targeting Microsoft 365 organizations. The attack exploits weaknesses in Microsoft 365's multi-factor authentication (MFA), Microsoft Authenticator, and Microsoft 365 Identity Protection, effectively nullifying the security that MFA is supposed to provide.

Background

The attempted BEC attack revealed that the attacker had access to sensitive information that could only have been obtained by compromising a user in the organization. Mitiga reported unauthorized access to an executive’s Microsoft 365 account from multiple locations, including Singapore, Dubai, and San Jose, California. The initial access was gained through an adversary-in-the-middle phishing technique.

Microsoft 365 MFA Weaknesses Analysis

Despite MFA being a critical control, Microsoft does not allow customers to configure enhanced controls that could improve security. For example, when accessing resources from a new IP address or requesting elevated permissions, Microsoft does not require a new MFA challenge if a session has previously been authorized with MFA. This lack of flexibility allows attackers to maintain access even after the initial compromise.

One surprising aspect is the Privileged Identity Management (PIM) feature, which allows users to elevate permissions without requiring an MFA re-challenge. This means that if an account is compromised, attackers can become administrators easily. Furthermore, attackers can add a new Authenticator app without an MFA re-challenge, which creates persistency in accessing the account.

Security info registration

Image courtesy of Mitiga

Recommendations

To mitigate these risks, organizations should implement additional security layers, such as requiring a third factor tied to physical devices or authorized laptops and phones. Microsoft 365 offers Conditional Access, which can enhance security by requiring authentication via compliant devices.

Read a full analysis of the entire attack.

Phishing Campaign Targets Microsoft Device-Code Authentication Flows

A phishing campaign attributed to Russian state-sponsored hackers has been targeting various organizations globally since at least August 2024.

Phishing campaign image

Image courtesy of Cybersecurity Dive

Device-Code Phishing Attacks

These attacks use a specific phishing technique to exploit device-code authentication flows. Attackers prompt applications to generate device codes and trick users into entering them into a legitimate sign-in portal. This allows the attackers to capture authentication tokens, which can then be used to access targeted accounts without needing passwords.

Microsoft Threat Intelligence has warned that the group known as Storm-2372 has intensified its phishing attacks by using the client ID for Microsoft Authentication Broker. This enables attackers to obtain refresh tokens and access organizational resources.

The phishing emails used in these campaigns do not contain malicious links or attachments, making them difficult to detect by cybersecurity products.

Read more about Storm-2372's activities.

Phishing Campaign Impersonates Booking.com

A new phishing campaign has emerged, impersonating Booking.com to deliver a suite of credential-stealing malware. This campaign is indicative of the ongoing threat of credential theft.

Credential Theft

Credential theft remains a significant concern for organizations, as attackers increasingly use sophisticated techniques to gain unauthorized access to sensitive information.

For more information on credential theft and protective measures, refer to the Microsoft Security Blog.

Explore how our company undefined can help enhance your security measures against these threats. Visit our website at undefined to learn more about our services.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article