Phishers attempt to bypass Office 365 multi-factor authentication

Scammers were able to access Microsoft Office 365 services using phished credentials, successfully bypassing the target organisations’ multi-factor authentication layers. The compromised services had support for legacy terminal devices and applications enabled during installation.

Multi-factor authentication (MFA) is a procedure where, in addition to login credentials, a second authentication method is used to confirm the identity of the user. For example, users can be sent a verification code by SMS that must be entered before login can be completed. MFA provides an additional layer of protection in situations where a user has revealed their credentials to cybercriminals by accidentally entering them on a phishing site instead of a legitimate website, as the procedure prevents the attackers from accessing the user’s account using only their username and password.

Bypassing MFA

There are currently a number of active phishing campaigns that have successfully bypassed the MFA protections of organisations using Office 365. The attacks exploit Office 365 settings that grant non-MFA-compatible legacy applications access to the service.

The feature renders older applications Office 365-compatible even though they do not support multi-factor authentication. This means that multi-factor authentication is disabled for certain access protocols.

The National Cyber Security Centre Finland (NCSC-FI) recommends that MFA be activated for all access protocols even if it means that older devices and applications cannot be used with Microsoft Office 365 services.

How to protect your Office 365 services (to administrators)

Are you the administrator of Office 365 services in your organisation?
  • Use the Office 365 multi-factor authentication tool.
  • Make sure that it is activated for all permissible access protocols (e.g. EWS, ActiveSync and POP/IMAP).
  • Check that you are using Modern Authentication.
  • Block access to Office 365 services from applications that do not support Modern Authentication. These may include mobile phones’ native email applications.
  • Please note that these changes may cause compatibility problems with older applications.
  • If your organisation applies an MFA method that uses SMS or callback as a second layer, confirm that the telephone numbers comply with the company information security policy (for example company-issued numbers only).
  • If you suspect that passwords may have ended up in the wrong hands, have them changed and make sure there are no unauthorised email forwarding rules on any user accounts.

These instructions are for administrators. Regular users do not have the right to edit MFA settings.

Further information

Update history

Key words: Information security , Internet , Email , Smartphone , Information security now!

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

P.O. Box 313, FI-00561 HELSINKI

Dynamicum, Erik Palménin aukio 1, 00560 HELSINKI

Media contacts by telephone +358 295 390 248