Overall, Microsoft sees more than 300 fraudulent sign-in attempts that target Microsoft cloud services each day, but MFA stops nearly all of these attacks. The 0.1 percent of successful attacks are sophisticated in nature and are far less common.
The three most common vulnerabilities seen across all sectors is business email compromise, legacy protocols, and password reuse. Applications that use basic protocols like SMTP weren’t designed to manage MFA. Even if MFA is required for most use cases, the hackers will search for opportunities to use outdated browsers to email applications to force the use of less secure protocols.
Meanwhile, up to 73 percent of users duplicate their passwords in both their personal and work accounts, which are used by hackers in attempts to gain access to corporate accounts.
“Cyberattacks aren’t slowing down, and it’s worth noting that many attacks have been successful without the use of advanced technology,” Melanie Maynes, Microsoft Security’s senior product marketing manager, wrote. “All it takes is one compromised credential or one legacy application to cause a data breach.”
“This underscores how critical it is to ensure password security and strong authentication,” she added.
Microsoft’s Group Program Manager for Identity Security and Protection Alex Weinert outlined password challenges in July, noting that, overall, passwords mostly don’t matter in many attack attempts, outside of password spray or brute force attacks.
For those attacks, Microsoft recommended organizations avoid the top-guess passwords, passwords with more than eight characters, or a password manager “if you are really nervous.”
“Your password doesn’t matter, but MFA does,” Weinert wrote. “Based on our studies, your account is more than 99.9 percent less likely to be compromised if you use MFA.”
“With the increase in sophisticated MFA phishing and bigger cracking rigs (including quantum), what we really need is a cryptographically strong credential bound to the client hardware that stores a benign artifact online, which makes the inevitable punchline better credentials (like FIDO2),” he added.
To Weinert, the old adage to never reuse a password that has been seen in a breach or that passwords are the answer is inconsistent with Microsoft’s research. And focusing on password rules instead of tools that can actually help, like MFA and threat detection is just a distraction.
For starters, Microsoft sees more than 20 million credential stuffing attacks on a daily basis, which stems from how easy it is for hackers to purchase credentials gathered from breached sites with bd policies around data at rest and then test for matches on other systems.
Phishing attempts make up about 0.5 percent of all inbound emails, Microsoft found. These attacks can be incredibly successful, as users are curious or ignore warnings to not click on malicious emails. In the healthcare sector, phishing has remained one of the most successful attack methods. And passwords are ineffective, as the user provides the hacker with the credentials.
Also notable: Password spray attempts account for 16 percent of attacks. Microsoft found that thousands are broken each day, with millions of accounts probed daily. These attacks are extremely easy for hackers as they use easily acquired user lists, attempt the same password over a large number of usernames, and regulate the speed of attempts across many IPs to avoid detection.
The tools used in the attacks are also inexpensive and easy to purchase.
Microsoft also noted that extortion, brute force, and local discovery attempts are seen in relatively low frequency. But again, in these attacks passwords aren’t effective as the user provides it to the attacker, or they steal it.
There are two main obstacles hindering organizations from implementing MFA: the misconception that the tool requires external hardware devices and concern around user disruption or technology malfunction, a Sans Software Security Institute report showed.
“To us, this comes across as another excuse,” researchers wrote. “There are multiple ways to implement stronger authentication within your organization; it doesn’t have to be an all-or-nothing approach.”
While an all-at-once strategy will protect all users at one time, regardless of role, the researchers stressed that this will likely be disruptive to the organization. For example, remote access and system administration roles could break due to increased, unplanned security.
But a role-based approach can strengthen authentication beginning with high-privilege users like domain administrators with a significantly lower rate of user disruption. Alternatively, organizations can implement a phased, system-based approach beginning with external-facing systems, systems typically used by privileged users, or third-party management that require stronger authentication.
However, MFA may not be supported by all systems that require external connectively and will have to rely on account permissions simultaneously.
As user authentication is one of the most common cyber risks facing hospitals and other healthcare providers, the use of stronger authentication can shore up some of these gaps. MFA has also been shown to combat phishing and other cyberattacks by ensuring it’s the patient or employee and not the hacker attempting to access the system.
Google recently released similar findings that showed google blocks more than 100 million phishing emails each day. The threat continues to be successful given its highly targeted nature and ever-evolving variants.