Home / Threat Intelligence bulletins / Quorum Cyber Incident Response team investigates a series of BEC incidents

The Quorum Cyber Incident Response team has been investigating a number of Business Email Compromise (BEC) incidents recently where an attacker has been able to successfully gain access to accounts protected with Multi-Factor Authentication (MFA).

Although this attack vector is not new, it is a good opportunity to remind ourselves as a community to remain vigilant even when MFA protection is in place. Currently, we are observing attackers bypassing MFA by:

  • Stealing and reusing session tokens where an account has previously satisfied MFA
  • Repeatedly triggering MFA authentication prompts, to a point where the affected user either accidentally approves the request, or approves the request in an attempt to stop the repeated alerts (MFA fatigue)
  • In cases where MFA authentication requires validation through inputting a number into the login prompt, socially engineering the user through email or a phone call to divulge the number for the attacker’s use.

Whilst MFA significantly enhances the security of user accounts, there are a variety of methods available to attackers to bypass these security measures. At Quorum Cyber, we have undertaken a thorough review of our playbooks and handling processes to ensure that our M-XDR customers remain safe in these circumstances.

In order to help combat session token theft specifically, Microsoft Entra ID Token Protection, currently in public preview, can be enabled. This will bind session tokens to registered devices, preventing attackers from using stolen session tokens in certain circumstances. More information is available here.

Quorum Cyber’s Entra ID Health Check service reviews the security configuration of Entra ID and identifies improvements that can help increase the security of your estate, including MFA configuration. For more information, contact [email protected].