Bypassing Phishing-Resistant MFA: New Vulnerability Discovered in Microsoft Entra ID

A new concern has emerged in the cybersecurity landscape. Security researchers have identified a novel technique that allows attackers to bypass phishing-resistant Multi-Factor Authentication (MFA) in Microsoft Entra ID, raising alarms about the robustness of even advanced security measures.

This technique was initially tested as part of a Capture The Flag (CTF) competition called EntraIDiots, where participants were granted access solely through phishing-resistant MFA. However, researchers discovered that by manipulating specific parameters in the authentication request, they could deceive the system.

The dangerous technique is executed through the following steps:

1. The victim visits a specially crafted malicious webpage.
2. This page invokes Microsoft’s login interface, embedding the following critical details:
   • A unique identifier for the Authentication Broker: 29d9ed98-a469-4536-ade2-f981bc1d605e.
   • The address of Microsoft’s registration service.
   • A key parameter: amr_values=ngcmfa, which enforces MFA.
   • A redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin.
3. Once the victim completes the MFA process, attackers obtain an authorization code.
4. Using this code, attackers can:
   • Register a new device in the Entra ID system.
   • Obtain a Primary Refresh Token (PRT).
   • Register a Windows Hello for Business (WHFB) key.
   • Generate a new PRT based on this key.

Through these steps, attackers establish a persistent backdoor in the system. Most alarmingly, this process is nearly undetectable within the user’s account.

Why Is This Method Dangerous?

• The hidden access key does not appear in the list of authentication methods for the user’s account.
• Even administrators cannot view their own authentication methods; a separate administrator is required to do so.
• Audit logs provide insufficient detail, making it significantly harder to detect the threat.

How to Protect Against It?

Researchers recommend the following countermeasures:

• Mandate phishing-resistant MFA for all users.
• Implement warning systems to detect Adversary-in-the-Middle (AiTM) attacks.
• Restrict device registration in Entra ID.
• Enforce strict compliance policies.
• Limit or completely disable the Device Code Flow.

The researchers view this approach as an evolution of the PRT phishing technique developed by Dirk-jan Mollema in 2023. The key difference is that this new method works even in environments where MFA is mandatory, tricking users into completing authentication and enabling system compromise.

This incident serves as a cautionary tale for Microsoft Entra ID users. No system, even one equipped with cutting-edge security tools, is immune to vulnerabilities without a multi-layered, well-thought-out security strategy. Transitioning to passwordless authentication is not a complete solution but merely one component of a comprehensive security approach.