https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883007#M940 <DIV class="duo-migrated-content"><P>Was alarmed to read the following, which describes a fake o365 login page whereby the user puts in their credentials on the fake page.</P> <ASIDE class="onebox allowlistedgeneric" data-onebox-src="https://www.computerweekly.com/news/252506088/Experts-warn-on-Office-365-phishing-attacks"> <HEADER class="source"> <IMG src="https://www.computerweekly.com/favicon.ico" class="site-icon" width="16" height="16" /> <A href="https://www.computerweekly.com/news/252506088/Experts-warn-on-Office-365-phishing-attacks" target="_blank" rel="noopener nofollow ugc">ComputerWeekly.com</A> </HEADER> <ARTICLE class="onebox-body"> <DIV class="aspect-image" style="--aspect-ratio:690/229;"><span class="lia-inline-image-display-wrapper" image-alt="2X_6_648cd956344c20b4573114acafcba6d29242e019.jpeg" style="width: 690px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/191336i34285CC4C0B95F1F/image-size/large?v=v2&amp;px=999" role="button" title="2X_6_648cd956344c20b4573114acafcba6d29242e019.jpeg" alt="2X_6_648cd956344c20b4573114acafcba6d29242e019.jpeg" /></span></DIV> <H3><A href="https://www.computerweekly.com/news/252506088/Experts-warn-on-Office-365-phishing-attacks" target="_blank" rel="noopener nofollow ugc">Experts warn on Office 365 phishing attacks</A></H3> <P>Newly observed campaign is particularly dangerous because it appears to neutralise one of the most widely known anti-phishing techniques.</P> </ARTICLE> <DIV class="onebox-metadata"> </DIV> <DIV style="clear: both"></DIV> </ASIDE> <P>We are using AD conditional access for MFA with DUO for our Office 365 logins. Since the o365 access is automatically redirected to the DUO login page, is it possible that MFA could be bypassed and that the user credentials would be captured by the criminal in this case?</P></DIV> Thu, 02 Sep 2021 15:58:56 GMT lkeyes1 2021-09-02T15:58:56Z https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883007#M940 <DIV class="duo-migrated-content"><P>Was alarmed to read the following, which describes a fake o365 login page whereby the user puts in their credentials on the fake page.</P> <ASIDE class="onebox allowlistedgeneric" data-onebox-src="https://www.computerweekly.com/news/252506088/Experts-warn-on-Office-365-phishing-attacks"> <HEADER class="source"> <IMG src="https://www.computerweekly.com/favicon.ico" class="site-icon" width="16" height="16" /> <A href="https://www.computerweekly.com/news/252506088/Experts-warn-on-Office-365-phishing-attacks" target="_blank" rel="noopener nofollow ugc">ComputerWeekly.com</A> </HEADER> <ARTICLE class="onebox-body"> <DIV class="aspect-image" style="--aspect-ratio:690/229;"><span class="lia-inline-image-display-wrapper" image-alt="2X_6_648cd956344c20b4573114acafcba6d29242e019.jpeg" style="width: 690px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/191336i34285CC4C0B95F1F/image-size/large?v=v2&amp;px=999" role="button" title="2X_6_648cd956344c20b4573114acafcba6d29242e019.jpeg" alt="2X_6_648cd956344c20b4573114acafcba6d29242e019.jpeg" /></span></DIV> <H3><A href="https://www.computerweekly.com/news/252506088/Experts-warn-on-Office-365-phishing-attacks" target="_blank" rel="noopener nofollow ugc">Experts warn on Office 365 phishing attacks</A></H3> <P>Newly observed campaign is particularly dangerous because it appears to neutralise one of the most widely known anti-phishing techniques.</P> </ARTICLE> <DIV class="onebox-metadata"> </DIV> <DIV style="clear: both"></DIV> </ASIDE> <P>We are using AD conditional access for MFA with DUO for our Office 365 logins. Since the o365 access is automatically redirected to the DUO login page, is it possible that MFA could be bypassed and that the user credentials would be captured by the criminal in this case?</P></DIV> Thu, 02 Sep 2021 15:58:56 GMT https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883007#M940 lkeyes1 2021-09-02T15:58:56Z https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883008#M941 <DIV class="duo-migrated-content"><P>If you are using the Conditional Access method to protect Office 365 with Duo, then there is no Duo page redirect. The process is user types in email, clicks next, is sent to the Microsoft password reception page which you can / may have branded, and then when click submit it prompts the user for a Duo prompt.</P> <P>To the concerns raised in the article, yes, this attack is entirely still possible with MFA enabled.</P></DIV> Fri, 03 Sep 2021 14:45:24 GMT https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883008#M941 adam.palmer 2021-09-03T14:45:24Z https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883009#M942 <DIV class="duo-migrated-content"><P>Hi, <A class="mention" href="https://community.duo.com/u/adam.palmer">@adam.palmer</A> : With our conditional access… you do indeed go to the Microsoft password reception page… put in your name and password… however at that point the page goes to <A href="http://xxxxxxxx.duosecurity.com" rel="noopener nofollow ugc">xxxxxxxx.duosecurity.com</A> which gives you the option of Send Me a Push, Call Me or Enter a Passcode. … I’d call that a redirect… from the o365 login page to the duo page… my question was whether that constituted a vulnerability… could some bad actor intercept that redirection, put up a bogus DUO MFA page perhaps…</P></DIV> Fri, 03 Sep 2021 15:41:19 GMT https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883009#M942 lkeyes1 2021-09-03T15:41:19Z https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883010#M943 <DIV class="duo-migrated-content"><P>Duo integrations that support the new <A href="https://duo.com/docs/universal-prompt-update-guide">Universal Prompt</A> (like Duo’s custom control for Azure AD) protect against the scenario you describe (a bogus Duo MFA page) by using <A href="https://duo.com/docs/oauthapi">OIDC standards-based authorization</A>, signed by the unique application info, with a redirect to a page hosted in our own domain. Even if that redirect was intercepted and someone created a fake hosted Duo MFA prompt, it would not provide valid authorization for the auth success.</P> <P>For applications not yet updated to the OIDC authorization flow, that still show Duo’s traditional prompt in an iframe on a page hosted at the application (not a redirect to a page hosted by Duo, we recommend configuring <A href="https://duo.com/docs/protecting-applications#hostname-whitelisting">a list of hosts allowed to show the prompt</A> in the Duo application’s properties to protect against this.</P></DIV> Tue, 07 Sep 2021 13:01:25 GMT https://community.cisco.com/t5/managing-users/o365-ad-conditional-access-phishing-with-fake-sign-in/m-p/4883010#M943 DuoKristina 2021-09-07T13:01:25Z