Employees are the most common and also the easiest/most simple attack vector against your organization. To protect them, we often use multi-factor authentication (MFA) as an additional layer of security. This makes life difficult for those with malicious intent, as well as for the users themselves, who complain about annoying alerts and SMS codes. But let’s focus on potential attackers. To get into our systems, it is no longer enough to send a phishing email to learn an employee’s login and password. It is also necessary to authorize a new login, which requires our employee’s interaction. Now you may think that no one will confirm such an atypical login… but life can surprise us 🙂
Uber hack
A long time ago, in 2022, Uber (that’s the taxi company) had a serious breach. The attacker purchased credentials for the account of one of the company’s contractors on the dark web. But credentials alone weren’t enough, because the account was secured with MFA, and the attacker’s device wasn’t added as trusted. So what did our hacker do? He kept trying until he got what he wanted.
For an hour, the employee was bombarded with notifications until he finally succumbed and confirmed one of them. That was enough to bring everything down like a house of cards.
Fun Fact
The attacker who hacked Uber was only 18 years old. As you can see, you don’t need a PhD in cybersecurity to break into big companies 🙂
For more details check CyberArk’s article.
How to Live. What to do?
The Uber story teaches us that it pays to regularly train and educate your employees about cyber threats, because accidentally or reflexively confirming an MFA request can have dire consequences. It’s also worth checking whether your identity provider (IdP) offers a mechanism for reporting suspicious MFA attempts.
Reporting suspicious MFA requests in Microsoft 365
As part of Entra ID, we have two mechanisms available to report suspicious MFA requests - Fraud Alert and Report Suspicious Activity.
What is a Fraud Alert?
MFA Fraud Alert as the name suggests is used to report suspicious MFA requests from users (in the Microsoft Authenticator application or during a phone call from Microsoft) that are not from them, but from the thief 🙂
After such a report, the employee’s account may be automatically blocked until investigated by the administrator. Unfortunately, there is no automation here and everything is done manually.
What is Report Suspicious Activity?
This is an enhanced MFA Fraud Alert option that integrates with Entra ID Protection. In a nutshell, Fraud Alert typically blocks employee accounts for investigation by IT. When we use Entra ID P2 and Identity Protection, the user account once reported, can be unblocked after certain corrective actions, such as password change.
You can read more about Entra ID Protection in this post.
What to choose?
Your choice is quite simple:
- If you have Entra ID P2, use Report Suspicious Activity and disable Fraud Alert.
- If you have Entra ID P1, use Fraud Alert.
- If you have neither Entra ID P1 nor Entra ID P2, don’t configure any of the settings because you don’t have a license for them 🙂
Important: You can use both settings at the same time. Although I personally don’t recommend it.
Configuration
This section describes how to configure Fraud Alert and Report Suspicious Activity.
How to enable MFA Fraud Alert?
Navigate to: Entra admin center -> Protection -> Multifactor authentication -> Fraud alert
Next, change the State setting to Enabled and click Save to apply the changes.
There it is! The MFA Fraud Alert option is now enabled! Before reporting your first request, it’s also a good idea to set up alerts in the Notifications tab.
How to enable Report Suspicious Activity?
Navigate to: Entra admin center -> Protection -> Authentication Methods -> Settings
Then, in the Report suspicious activity section for the State option, set the value to Enabled and save the changes by clicking the Save button. Done!
Tests
This section describes tests of the Fraud Alert and Report Suspicious Activity settings.
Fraud alert
Sign in to any Microsoft 365 / Entra ID service and wait for the MFA approval request. When you see a new notification, click the NO, IT’S NOT ME option, which opens the window to report a suspicious MFA attempt - click REPORT.
The report is submited to the Entra ID administrators, and the account has been block… secured!
What happens next with such a request?
Administrator receives an email notification about the new fraudulent MFA attempt.
If the admin has a spare moment, he/she can go to the Entra admin center and unblock the employee’s account under Block/unblock users. Of course, first admin has to analyze what happened, make some coffee and report the incident, so it might take a while :beaming_face_with_smiling_eyes:
Doesn’t sound good? You can always consider upgrading to Entra ID P2 and configure Identity Protection along with the Report Suspicious Activity option!
Report Suspicious Activity
The new enhanced version of Fraud Alert, Report Suspicious Activity is not much different when it comes to reporting fraudulent MFA attempts.
Again, sign in to any Microsoft 365 / Entra ID service and wait for the MFA approval request. When you see a new notification, click the NO, IT’S NOT ME option, which opens the window to report a suspicious MFA attempt - click REPORT.
Pay attention to the content of the message. Previously, the user saw a message stating that such a report could block access to the account, but now there is no such thing. Why is that? Report Suspicious Activity option don’t lock user accounts by default. This is done by Conditional Access and Identity Protection. If we don’t configure these dependencies, nothing special happens from the user’s perspective, and the account is not blocked.
What happens next with such a request?
The report is registered in Entra ID, where the user’s account risk is increased to High. If you have Risk-Based Conditional Access policies in place, the employee will be prompted to change the account password during the next sign-in attempt, immediately after confirming the MFA challenge.
Psst! Find out more about how to set up Self-service Password Reset (SSPR) here.
What does the administrator see?
Similar to Fraud Alert, the administrator receives an email from Identity Protection that a new risky user has been detected.
After clicking the link in the email, you can view the report event and other things that Identity Protection has detected that may be related to it.
Of course, after resetting the password, the event will not disappear, but you will receive a new one indicating that the risk has been eliminated by the password reset.
Conclusion
Now you have learned how to prevent Multi-Factor Authentication Request Generation attacks in Entra ID. Remember that you should always update your documentation and employee training materials after implementing technical measures 🙂
Until next time.