Microsoft 365 (MitM) MFA Attacks

by | Jun 1, 2025 | Uncategorized

MitM MFA Attacks

Microsoft 365 is one of the most popular cloud-based productivity suites, providing organizations with essential tools for collaboration, communication, and data storage. With so much valuable information housed within the platform, Microsoft 365 is an attractive target for cybercriminals. Although Multi-Factor Authentication (MFA) offers an essential layer of security beyond just passwords, attackers are increasingly using Machine-in-the-Middle (MitM) attacks to bypass MFA protections.

Getting Started

We’ll explore how MitM MFA attacks work, their implications for Microsoft 365 users, and best practices to secure your Microsoft 365 environment against these sophisticated threats.

Securing Microsoft 365

Defend Against Machine-in-the-Middle (MitM) MFA Attacks

Understanding Machine-in-the-Middle (MitM) MFA Attacks

Machine-in-the-Middle (MitM) MFA attacks involve an attacker positioning themselves between the user and the legitimate service (in this case, Microsoft 365) to intercept and relay information, including credentials and MFA tokens. By doing so, they can gain unauthorized access without disabling or directly bypassing MFA.

In Microsoft 365, MitM attacks commonly follow these steps:

  • Phishing: The attacker sends a link to a fake Microsoft 365 login page that resembles the real one.
  • Credential and MFA Interception: The attacker captures the user’s credentials and MFA token in real time, relaying the login information to Microsoft 365.
  • Account Access: Once the MFA token is verified, the attacker gains access to the account.

Note: MitM attacks are highly effective because they exploit user trust in familiar interfaces and authentication workflows, making it challenging for users to identify a threat.

Why Microsoft 365 is a Target for MitM Attacks

With over 300 million active users, Microsoft 365 is a treasure trove of sensitive information, from emails and documents to collaboration tools like Teams and SharePoint. Cybercriminals target Microsoft 365 to gain access to critical data, financial records, intellectual property, and more.

Microsoft 365’s popularity, combined with the high success rate of phishing and MitM attacks, has led to a surge in attackers using MitM tools like Evilginx2, Modlishka, and Muraena. These tools facilitate MitM attacks by acting as reverse proxies that intercept login credentials and MFA codes in real time.

Securing Microsoft 365 Against MitM MFA Attacks

To effectively protect Microsoft 365 against MitM MFA attacks, organizations should implement a combination of technical safeguards, robust policies, and user training. Here are the top recommendations to defend against these attacks.

Adopt Phishing-Resistant MFA Solutions

One of the best defenses against MitM attacks is to implement phishing-resistant MFA methods that are more secure than traditional SMS-based or app-based MFA.

1. Use FIDO2/WebAuthn Authentication

  • How It Works: FIDO2 and WebAuthn are modern standards that require a physical security key or device biometrics for authentication. These methods tie authentication to a specific device and origin, making it nearly impossible for an attacker to relay MFA tokens.
  • Microsoft Implementation: Microsoft 365 supports FIDO2 security keys, which are highly effective against MitM attacks. When using a FIDO2 key, the user’s authentication is cryptographically bound to the device and Microsoft 365 domain, rendering MitM tools ineffective.

2. Implement Passwordless Authentication

  • Benefits: Passwordless authentication eliminates the need for passwords, replacing them with biometric options (like Windows Hello for Business) or hardware tokens. This prevents attackers from using captured credentials and MFA tokens.
  • Configuration: Enable passwordless sign-ins within Azure AD for supported devices. By removing the password from the equation, this method reduces the chances of MitM attacks exploiting compromised credentials.

Use Conditional Access Policies

Conditional Access policies in Microsoft 365 allow you to control access based on user, device, location, and other risk factors. By enforcing these policies, you can create a more dynamic and secure authentication process.

 

1. Enforce Location-Based Access Controls

  • Block Suspicious Locations: Configure Conditional Access to block access from high-risk or foreign locations that are outside of your organization’s normal operations.
  • Limit Access to Trusted IPs: Require that users authenticate only from trusted IP addresses, such as your office network or approved VPNs. This minimizes the risk of MitM attacks originating from unknown networks.

2. Require MFA for Risky Sign-ins

  • Use Risk-Based Conditional Access: Set up policies to require additional MFA verification for sign-ins that Azure AD deems high-risk. Risk-based policies evaluate login patterns to detect potentially suspicious activity.
  • Deny High-Risk Sessions: Automatically block high-risk sessions, such as those with impossible travel indicators (e.g., logins from widely separated locations within a short timeframe), which may indicate an active MitM attack.

Educate and Train Users

Even the most robust security policies can be bypassed if users are not adequately trained. Educating users on identifying potential MitM attacks is essential for maintaining a secure Microsoft 365 environment.

 

1. Conduct Regular Phishing Training

  • Simulated Phishing Campaigns: Use tools like Microsoft Defender for Office 365 to run phishing simulations. By creating controlled phishing tests, you can identify and educate users who are more vulnerable to phishing attacks.
  • Encourage Reporting: Establish a clear process for reporting suspicious emails or login prompts. Users who feel empowered to report potential phishing attempts are more likely to help in preventing MitM attacks.

2. Emphasize URL Awareness

  • Teach Users to Verify URLs: Encourage users to check URLs before entering their login information. Fake login pages often have URLs that are similar to but slightly different from the legitimate ones.
  • Warn Against MFA Fatigue: Inform users about the dangers of “MFA fatigue,” where attackers bombard them with MFA prompts. Emphasize the importance of only approving prompts for logins they initiated.

    Conclusion

    MitM attacks targeting MFA present a significant threat to Microsoft 365 environments, but by implementing strong security practices, you can greatly reduce the risk of a successful attack. From adopting phishing-resistant MFA solutions to enforcing Conditional Access policies and educating users, each measure strengthens your organization’s security posture against MitM attacks.

    MitM attacks are constantly evolving, and attackers will continue to find new ways to bypass even the most advanced defenses. For this reason, securing Microsoft 365 is not a one-time task. Regularly updating policies, staying informed about new security features, and maintaining a proactive approach are essential to protecting your organization’s data and ensuring a secure Microsoft 365 environment. By following these best practices, you can bolster your defenses against Machine-in-the-Middle attacks and maintain a resilient, secure workspace for your organization.