How to protect your Office 365 MFA admin account from cell phone SIM hijacking


Introduction

Hackers are actively attacking Office 365 administrator accounts. With the default MFA configuration, password reset requests are authenticated via your cell phone (SMS or phone call), but the code is actually sent to your SIM. If a hacker has hijacked your SIM, they can also reset your password and gain access to Office 365.

This tutorial will step you through how to configure your Office 365 MFA settings to get around the risk of having your SIM hijacked and your authentication phone being unavailable to receive the codes.

Before I explain SIM hijacking and how to protect your accounts, I strongly recommend you have followed my previous MFA (Multi-Factor Authentication) tutorials -

Modern Authentication and Multi-Factor Authentication -
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

MFA (Multi-Factor Authentication) Pre-requisites
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link

Download my Office 365 PowerShell Connection script that supports MFA
Now with a user friendly GUI - Link












=============================================================

So what is SIM Hijacking?

SIM Hijacking - Quote from - Link
"The problem, of course, is that, SMS codes aren’t actually sent to your phone. They’re sent to the phone in which the SIM card registered to your number is installed.

So, if your SIM has been cancelled, and a new one issued to someone else, the SMS codes no longer go to you.

Even if you had a strong passcode on your own phone, or a PIN code on your SIM, all bets are off. The crooks simply put the new SIM (for which they get to choose the PIN code, if any) into a phone of their own (for which they get to chose the passcode, if any.)"

Read the SIM Hijacking Stories below to get a better understanding of how hackers are using social engineering to get your cell number associated to a new SIM that they possess.


SIM Hijacking Stories -
Your Privacy is at risk - Link - YouTube video (Language Warning)
- Twitter Activist SIM hijacking - Link
- Indian two-factor authentication fraudsters busted by Delhi cops - Link
- Keeping text message multi-factor authentication secure - Link

==============================================================

So what are the default settings for MFA enabled accounts?

If you have accepted the default MFA settings (your mobile phone to receive phone calls for authentication), you are at risk by SIM hijacking. The same risk applies if you have selected the option to receive the authentication code via SMS to your cell phone.

For this tutorial, I have created a new Office 365 admin account -
admin-mfa-txt@hybrid0617.onmicrosoft.com - and then enabled MFA on that account.









At initial login as that user, it will be prompted to set up MFA - Click "Set it up now"












You will then be presented with three options when selecting the drop down box -
- Authentication Phone
- Office Phone
- Mobile App













The default settings will be - Authentication Phone and Call me.
For this tutorial, I will accept the default and enter my mobile phone number and country, and the "call me" option.
I then receive a phone call which instructs me to press the 'pound' key.
Once done, my authentication phone is registered.
Click - 'Done'.

Next I will confirm that MFA has been configured on my account.

I log in to the portal and enter my username and password. Microsoft will call my mobile phone and I press the 'pound' key. I am then granted access.

As you can see, MFA works fine with the default settings, and you are protected as a hacker must have access to your phone to receive authentication codes. This seems fine until you review how Office 365 processes a request to reset a password.

==============================================================

So what is the process for password resets with MFA enabled admin accounts?

The process for password resets starts when you (or a hacker) clicks on 'Can't access your account?' on the portal page.










You (or the hacker) will be taken to the password reset page.
Enter the UserId, the captcha code, and click next -



The only options for password reset are to text or call the mobile phone.












Once you authenticate via the mobile phone call or text, you will be able to choose a new password.
If a hacker has hijacked your SIM, they will be able to authenticate and choose a new password.









The password will then be reset.







You (or the hacker) have now successfully reset your password.

Note that if a hacker has hijacked your SIM by the process in the SIM Hijacker Stories, the hacker can follow the process above and reset the password as the authentication code is sent to the SIM. The hacker has now taken over your account and has the same access that your Admin account has. If your Admin account is a Global Admin, then the hacker can now do whatever they want to.

The first you will know about this is when your cell phone goes offline, and while you are investigating why this happened, the hacker has full control and will be accessing your confidential data and creating back doors to the Organization.

==========================================================

So how do I protect our Admin accounts from SIM hijacking?

There are two steps to protecting your Admin accounts from SIM hijacking.
- Setting your default authentication to 'Verification code via app'
- Removing the option for phone authentication and enabling Office phone authentication instead.

To protect against SIM hijacking you need to change your authentication process from being cell phone based (SIM) to being application based (using the Microsoft Authenticator app).

Configure your Security Verification Options -
Log in to your apps portal - https://myapps.microsoft.com - Authenticate if needed

In the Apps Portal - click your Profile (person icon) - then select - Profile









Select - Additional security verification









You will now see the current configuration for your account.
As this account was configured with default settings, it is currently set to
- Call my authentication phone














To edit your verification options, click the drop down arrow and change from 'Call my authentication phone' to 'Use verification code from app'.










A red message appears advising that you must enable and configure this option








Tick - Authenticator App
Click - Configure







The Configure mobile app screen will start to load.






The Configure mobile app screen will change and display the steps on how to configure the mobile app.














Search for and install the 'Microsoft Authenticator' app on your mobile device.
- Google Play Store - Link
- Apple Store - Link

The steps below are from the Google Play Store app -
In the app, add an account and choose "Work or school account"
Scan the QR image.

The Microsoft Authenticator app will automatically add that account.
Click 'Next on the Configure mobile app screen in the MyApps Portal

The Authenticator app will then be configured.









There is one more very important step to perform to protect your cell phone from SIM hijacking.
You will need to untick your Authentication phone setting and change to Office Phone.








Enter the details of your Office phone (or just some random numbers if you want).
It doesn't really matter what numbers are here. We are just changing the options to Office phone as your configuration MUST have a phone number, and we don't want the number to be your mobile.










Once we have configured the verification app and changed the Authentication phone to Office phone, we can click Save.

You will then be prompted to verify due to the change of preferred option.
Click - Verify preferred option








Open the Microsoft Authenticator app on your phone or device, enter the verification code in the box displayed.











Once verified, you will be advised that the update was successful.
Click - Close








You have now successfully changed your verification process.

Now sign out of the portal and sign back in to confirm that the process has changed to support the verification via app.

When signing in to the portal, the authentication process will now be changed and advise that it is using the verification code from your mobile app. Sign in to confirm the process works.



Excellent. We have now configured the Office 365 MFA admin account correctly.

==========================================================

So what happens when a hacker with my SIM tries to reset my password after this change?

As before, the process for password resets starts when the hacker clicks on 'Can't access your account?' on the portal page.










The hacker will be taken to the password reset page.
Enter the UserId, the captcha code, and click next -



Even after the configuration change, the only options are to text or call the mobile phone.












If the hacker has hijacked your SIM, they can authenticate via the mobile phone call or text.
*** The hacker will be able to choose a new password. ****









Your password will then be reset.







*** The hacker has now successfully reset the password ***

If the hijacker has reset your password, they will still be unable to log into your account as they will need the mobile app password, which is not tied to your SIM.



But what happens if they try to 'Use a different verification option'
















The hacker will then be presented with the options below.
But as we have set up the Office phone options, and removed the mobile phone option (that is tied to your SIM), the hacker will not be able to log in.













By changing the two settings in your authentication process, you are able to protect your MFA enabled admin account from SIM hijacking.

As you can see, if a hacker hijacks your SIM, they can still cause havoc by changing your password, but they can't actually log in due to the way we have configured your account.

===========================================================

Awesome... 
So is there a way to check if my Admin accounts are configured correctly?

Yes. I have created a basic script that can be used to determine firstly which accounts are configured for MFA, and secondly, if they are configured with the verification app and Office phone authentication.

Before running this script, I have deleted my previous MFA enabled admin accounts and created three new MFA enabled admin accounts with the following authentication settings.

admin-mfa-default
- Default authentication settings - Phone call to cell

admin-mfa-app-cell
- Authentication settings changed to Microsoft Authenticator app and cell phone

admin-mfa-app-office
- Authentication settings changed to Microsoft Authenticator app and Office phone


Note, before running these PowerShell scripts - 
Use the tutorials mentioned at the start of this tutorial if you have not configured your admin machine for PowerShell administration. -


Script to determine which accounts are configured for MFA -

Connect to Azure AD v1 (see tutorial links above)

Run the following script to determine which accounts are configured for MFA -


Get-MsolUser | Where {$_.StrongAuthenticationMethods -ne $null} | foreach {
    ForEach ($entry in $_.StrongAuthenticationMethods) {
        $Data = New-Object PSObject
        $Data | Add-Member -MemberType NoteProperty –name UserPrincipalName –value $($_.UserPrincipalName)
        $Data | Add-Member -MemberType NoteProperty –name Default –value $($entry.IsDefault)
        $Data | Add-Member -MemberType NoteProperty –name MethodType –value $($entry.MethodType)
        #write-output $Data
        $Data | export-csv -NoTypeInformation -append -Path "C:\Scripts\MFA-Users-And-Configuration.csv"
    }
}


The csv results will look similar to the following.










The only account that is correctly configured (as per this article) and protected against SIM hijacking, is the account - mfa-app-office. Notice the keywords 'PhoneApp' and 'Office' in the MethodType column confirming the correct configuration.

This account uses the PhoneAppOTP as the default authentication, as well as only using PhoneAppNotification and TwoWayVoiceOffice as secondary authentication.







===========================================================

Any mention of Mobile or SMS in the MethodType column confirms that that account is at risk of SIM hijacking due to authentication codes being sent to cell phones underlying SIM.

The account - mfa-default - uses TwoWayVoiceMobile as the default authentication and OneWaySMS for secondary authentication.
This account is not protected against SIM hijacking

The account - mfa-app-cell - uses the PhoneAppOTP as the default authentication, which is correct. However, it also uses OneWaySMS and TwoWayVoiceMobile for secondary authentication.
This account is not protected against SIM hijacking

Only the account - mfa-app-office - is protected against SIM hijacking.
This account uses the PhoneAppOTP as the default authentication, as well as only using PhoneAppNotification and TwoWayVoiceOffice as secondary authentication.



============================================================

Congratulations.
You now know how to configure your Office 365 Admin accounts to protect against SIM hijacking.

===========================================================

A LOT of research has gone into this tutorial, so I have decided to include the resources links below for you if you would like more information.

Resources –
Available versions of Azure MFA - Link
Security Best Practices for using Azure Multi-Factor Authentication with Azure AD accounts - Link
Securing Office 365 Administrator Accounts with Multi-Factor Authentication - Link
MFA options with Azure AD plans - Link
Configure Azure Multi-Factor Authentication settings - Link
How Azure Multi-Factor Authentication works (Methods available) - Link
Use PowerShell to report on individuals MFA configuration (phone number etc) - Link
Multi-Factor Authentication (MFA) Setup and End-User Experience with Office 365 and PowerShell - Link
Active Directory conditional access device policies for Office 365 services - Link
Getting started with Azure Multi-Factor Authentication in the cloud - Link
Configure Azure Multi-Factor Authentication settings - Link
Azure Multi-Factor Authentication features per license and implementation - Link
First Steps: Securing Office 365 Administrator Accounts with Multi-Factor Authentication - Link



2 comments:

  1. Brilliant research - even without considering the SIM hijacking, I always preferred the MS Authentication app and only listed office number in, but this shows me and in great detail just how lucky I was

    ReplyDelete