Kyle Rozendaal

As a Security Consultant, Kyle is responsible for helping clients identify and mitigate security risks within their systems. This involves conducting security assessments and penetration testing, analyzing vulnerabilities, and providing recommendations for remediation. In his five-year-long career in cybersecurity, Kyle’s focus has primarily been on performing internal and external network assessments, along with experience in phishing and social engineering engagements. In previous roles, Kyle led a Digital Forensics Investigative team, implemented defensive software, managed firewalls, and responded to security incidents across a large domain.

Kyle has five years of Information Security experience and one year in penetration testing. He holds his M.S. in Information Assurance and his OSCP from Offensive Security.
More by Kyle Rozendaal
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "163"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "163"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "163"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "163"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [search_columns] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "163"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "163"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "163"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "163"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.ID
					 FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
					 WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{7cec835587fc8b85b8e655bf5b6740fe667e4c95fcddac80cb4073ce2263da7e}\"163\"{7cec835587fc8b85b8e655bf5b6740fe667e4c95fcddac80cb4073ce2263da7e}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{7cec835587fc8b85b8e655bf5b6740fe667e4c95fcddac80cb4073ce2263da7e}\"163\"{7cec835587fc8b85b8e655bf5b6740fe667e4c95fcddac80cb4073ce2263da7e}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
					 GROUP BY wp_posts.ID
					 ORDER BY wp_posts.post_date DESC
					 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 31386
                    [post_author] => 163
                    [post_date] => 2023-11-02 09:00:00
                    [post_date_gmt] => 2023-11-02 14:00:00
                    [post_content] => 

On a recent external assessment, I stumbled upon a method to bypass a client’s MFA requirement:  access a single-sign on (SSO) token and leverage that token to access internal applications that—by policy—should have been locked behind an MFA prompt, all without triggering an MFA alert on the end-user's mobile device. This was possible due to a misconfiguration in the client’s Entra ID Conditional Access Policy for third-party MFA and a first-party integration with the myaccount.microsoft.com portal. 

To understand the vulnerability, there are a few things to understand about the Entra ID authentication flow. Within any Entra ID environment, there are numerous cloud applications that are leveraged when a user authenticates. The application with the misconfiguration is "My Profile" which utilizes "My Account", "My Apps", and "My Signins" for additional functionality within the "My Profile" portal. These separate applications are unique and can be individually configured with conditional access policies.

For this vulnerability to be present, four specific requirements must first be met: 

  1. The attacker must have valid credentials to sign into the Entra ID domain. These credentials can be brute forced through password sprays, found in online dumps, or obtained through social engineering.
  2. Entra ID must be configured to use Duo authenticator (or potentially other third-party MFA provider solutions) as the only method for MFA per the instructions on the Duo website.
  3. The “Require Duo MFA” conditional access policy must be configured for “Select Cloud Apps” rather than “All Cloud Apps” (See Image 1 Below). 
  4. The cloud application "My Profile" must not be included in the conditional access policy while other applications utilized by the "My Profile" application — like "My Account" or "My Sign-Ins" — are included.
Image 1: Require Duo MFA Conditional access policy in a vulnerable state.
Source: https://duo.com/docs/azure-ca

When these four conditions are present in an Entra ID Environment, the myaccount.microsoft.com page loads fully into the browser and provides an SSO token to the user before the conditional access policy is executed and a redirect to the Duo authenticator domain occurs to enforce the MFA authentication.

This odd load-time behavior is what alerted me to the potential for an MFA bypass. See the video below to observe how, briefly, the myaccount.microsoft.com page loads fully into the browser window before the redirect to the MFA prompt domain occurs.

Vulnerable sign-in behavior when the four requirements above are met: note the short timeframe when the page fully loads before the authenticator redirect occurs.

In order to test whether this strange behavior was due to the myaccount.microsoft.com page not respecting the conditional access policy or a misconfiguration in the conditional access policy, in the testing environment we changed one variable—Assignments: All Cloud Apps—rather than the vulnerable “Select Cloud Apps.” The results of that test can be seen below and show that the authentication process on myaccount.microsoft.com functions in a manner where the page is not loaded into the browser prior to the MFA prompt.

Expected secure sign-in behavior when three of the four requirements above are met. In this case, the conditional access policy was configured to fire on “All Cloud Apps” rather than “Select Cloud Apps”: note the myaccount.microsoft.com page does not appear before the redirect to Duo.

The exploit to bypass the misconfiguration is trivial. Using Burp Suite, or an HTTP/s proxying software of your choosing, simply proxy the traffic while authenticating to the myaccount.microsoft.com portal and manually forward packets until there is enough content loaded for you to select a new element on the page and add that to the navigation flow. If the packets are manually forwarded and a new element is selected before the authorization redirect to the Duo portal is loaded into the page, the attacker is able to navigate through the myaccount.microsoft.com portal to access internal applications and manipulate user account details such as password and MFA devices prior to authorization with MFA.

Authenticating to the myaccount.microsoft.com portal while proxying through Burp Suite and pausing the flow before the MFA Authentication redirect occurs.
Authenticating to the myaccount.microsoft.com portal while proxying through Burp Suite and demonstrating the ability to access the “update security info” page to manually edit security information for the account.

Limitations:

While this misconfiguration can lead to compromise of internal resources, there are some limitations to what it can accomplish that are all based on client-configurations within the conditional access policies. 

Since cloud-native Microsoft 365 applications are typically configured as part of the conditional access policy that requires MFA, this attack is not useful for accessing M365 resources such as Word Online, Teams, Outlook, or other Microsoft applications through the My Apps portal. Likewise, any other cloud applications that are configured to require multi-factor authentication will still be protected even when being accessed through the My Apps portal. There is also not a known method to elevate this basic token to a more robust token to access portals such as portal.office.com or entra.microsoft.com.

During testing and work with the Microsoft Security and Response Center, we examined four different Microsoft Entra ID environments. Of these four environments, only two contained the application “My Profile”. I compared licensing, where possible, and found no correlation between licensing and the existence of the “My Profile” application within the tenant.

I attempted to bypass this limitation in environments that did not contain the application by adding the application ID to the conditional access policy using the Entra ID PowerShell Modules. This was unsuccessful for the environments that didn’t list the application since it appears that those environments do not recognize the application by ID or name. 

Microsoft has been made aware of this odd behavior within the Entra Tenants and is working on a solution to address the lack of “My Profile” applications in some tenants.

Effectiveness of the attack: 

Many organizations must balance user-experience and convenience with security measures. When implementing a multi-factor authentication policy at an organization, many users do not want to approve multiple notifications just to access a single application. Many organizations will implement a structure of protecting the initial sign in or externally facing applications with MFA when being accessed from untrusted networks and leaving applications only accessible from trusted zones unsecured with MFA. 

In this example, and in real-world tests, bypassing the MFA prompt on myaccount.microsoft.com allowed the attacker to pause web application pages from loading and navigate from a non-trusted zone myaccount.microsoft.com portal to the trusted zone of myapps.microsoft.com without providing an MFA token and access business data on internal applications. 

The business logic behind the decision to not enforce MFA on these internal applications is valid, as the initial MFA prompt should have been completed before being able to access the myapps.microsoft.com portal. However, this vulnerability takes advantage of a slight delay in timing and allows the attacker access to a valid SSO token before authenticating with Duo authenticator and bypasses the business logic in place to prevent access to internal applications without MFA. 

Additionally, finding a multifactor-authentication provider that functions well with all vendors and applications leveraged by a business is nearly impossible. As MFA continues to become a business standard process and procedure across domains, multi-factor authentication providers have varying levels of support with the numerous cloud applications within a business environment. These limitations provide ample targets for attackers looking to leverage this vulnerability against Entra ID subscribers who are only applying MFA requirements through conditional access policies to specific applications either due to business-requirements or lack of support with the specific multi-factor vendor. 

Remediation:

In the environments that do have the "My Profile" Enterprise application to ensure the MFA prompt is triggered at the correct time when the user navigates to the myaccount.microsoft.com portal, the tenant administrator must configure a conditional access policy to target the "My Profile" application.

In the environments that did not include “My Profile” the only method to enforce MFA on myaccount.microsoft.com is to enforce MFA on “All Cloud Applications.” Since the “My Profile” application does not appear in all environments, the misconfiguration occurs from users believing all first-party Microsoft applications are covered by the conditional access policy. 

Conclusion: 

Although basic in its implementation and execution, finding this vulnerability was a stark reminder that although complex security systems are in use across enterprises, sometimes a simple misconfiguration can lead to compromise of secure data within the environment with minimal time investment or technical knowledge. As a penetration tester, it is easy to get bogged down in the technicalities of complex exploits and the prestige that comes along with executing a complex exploit chain. But sometimes it’s good to remember that simple misconfigurations with simple exploits can cause just as much damage to an environment and it is always good to check the basics.

Find more stories like these in our Azure Pentesting eBook.

Azure Cloud Penetration Testing Stories
[post_title] => Abusing Entra ID Misconfigurations to Bypass MFA [post_excerpt] => While conducting an Entra Penetration Test, we discovered a simple misconfiguration in Entra ID that allowed us to bypass MFA. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => abusing-entra-id-misconfigurations-to-bypass-mfa [to_ping] => [pinged] => [post_modified] => 2023-11-01 14:30:11 [post_modified_gmt] => 2023-11-01 19:30:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=31386 [menu_order] => 45 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 1 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 31386 [post_author] => 163 [post_date] => 2023-11-02 09:00:00 [post_date_gmt] => 2023-11-02 14:00:00 [post_content] =>

On a recent external assessment, I stumbled upon a method to bypass a client’s MFA requirement:  access a single-sign on (SSO) token and leverage that token to access internal applications that—by policy—should have been locked behind an MFA prompt, all without triggering an MFA alert on the end-user's mobile device. This was possible due to a misconfiguration in the client’s Entra ID Conditional Access Policy for third-party MFA and a first-party integration with the myaccount.microsoft.com portal. 

To understand the vulnerability, there are a few things to understand about the Entra ID authentication flow. Within any Entra ID environment, there are numerous cloud applications that are leveraged when a user authenticates. The application with the misconfiguration is "My Profile" which utilizes "My Account", "My Apps", and "My Signins" for additional functionality within the "My Profile" portal. These separate applications are unique and can be individually configured with conditional access policies.

For this vulnerability to be present, four specific requirements must first be met: 

  1. The attacker must have valid credentials to sign into the Entra ID domain. These credentials can be brute forced through password sprays, found in online dumps, or obtained through social engineering.
  2. Entra ID must be configured to use Duo authenticator (or potentially other third-party MFA provider solutions) as the only method for MFA per the instructions on the Duo website.
  3. The “Require Duo MFA” conditional access policy must be configured for “Select Cloud Apps” rather than “All Cloud Apps” (See Image 1 Below). 
  4. The cloud application "My Profile" must not be included in the conditional access policy while other applications utilized by the "My Profile" application — like "My Account" or "My Sign-Ins" — are included.
Image 1: Require Duo MFA Conditional access policy in a vulnerable state.
Source: https://duo.com/docs/azure-ca

When these four conditions are present in an Entra ID Environment, the myaccount.microsoft.com page loads fully into the browser and provides an SSO token to the user before the conditional access policy is executed and a redirect to the Duo authenticator domain occurs to enforce the MFA authentication.

This odd load-time behavior is what alerted me to the potential for an MFA bypass. See the video below to observe how, briefly, the myaccount.microsoft.com page loads fully into the browser window before the redirect to the MFA prompt domain occurs.

Vulnerable sign-in behavior when the four requirements above are met: note the short timeframe when the page fully loads before the authenticator redirect occurs.

In order to test whether this strange behavior was due to the myaccount.microsoft.com page not respecting the conditional access policy or a misconfiguration in the conditional access policy, in the testing environment we changed one variable—Assignments: All Cloud Apps—rather than the vulnerable “Select Cloud Apps.” The results of that test can be seen below and show that the authentication process on myaccount.microsoft.com functions in a manner where the page is not loaded into the browser prior to the MFA prompt.

Expected secure sign-in behavior when three of the four requirements above are met. In this case, the conditional access policy was configured to fire on “All Cloud Apps” rather than “Select Cloud Apps”: note the myaccount.microsoft.com page does not appear before the redirect to Duo.

The exploit to bypass the misconfiguration is trivial. Using Burp Suite, or an HTTP/s proxying software of your choosing, simply proxy the traffic while authenticating to the myaccount.microsoft.com portal and manually forward packets until there is enough content loaded for you to select a new element on the page and add that to the navigation flow. If the packets are manually forwarded and a new element is selected before the authorization redirect to the Duo portal is loaded into the page, the attacker is able to navigate through the myaccount.microsoft.com portal to access internal applications and manipulate user account details such as password and MFA devices prior to authorization with MFA.

Authenticating to the myaccount.microsoft.com portal while proxying through Burp Suite and pausing the flow before the MFA Authentication redirect occurs.
Authenticating to the myaccount.microsoft.com portal while proxying through Burp Suite and demonstrating the ability to access the “update security info” page to manually edit security information for the account.

Limitations:

While this misconfiguration can lead to compromise of internal resources, there are some limitations to what it can accomplish that are all based on client-configurations within the conditional access policies. 

Since cloud-native Microsoft 365 applications are typically configured as part of the conditional access policy that requires MFA, this attack is not useful for accessing M365 resources such as Word Online, Teams, Outlook, or other Microsoft applications through the My Apps portal. Likewise, any other cloud applications that are configured to require multi-factor authentication will still be protected even when being accessed through the My Apps portal. There is also not a known method to elevate this basic token to a more robust token to access portals such as portal.office.com or entra.microsoft.com.

During testing and work with the Microsoft Security and Response Center, we examined four different Microsoft Entra ID environments. Of these four environments, only two contained the application “My Profile”. I compared licensing, where possible, and found no correlation between licensing and the existence of the “My Profile” application within the tenant.

I attempted to bypass this limitation in environments that did not contain the application by adding the application ID to the conditional access policy using the Entra ID PowerShell Modules. This was unsuccessful for the environments that didn’t list the application since it appears that those environments do not recognize the application by ID or name. 

Microsoft has been made aware of this odd behavior within the Entra Tenants and is working on a solution to address the lack of “My Profile” applications in some tenants.

Effectiveness of the attack: 

Many organizations must balance user-experience and convenience with security measures. When implementing a multi-factor authentication policy at an organization, many users do not want to approve multiple notifications just to access a single application. Many organizations will implement a structure of protecting the initial sign in or externally facing applications with MFA when being accessed from untrusted networks and leaving applications only accessible from trusted zones unsecured with MFA. 

In this example, and in real-world tests, bypassing the MFA prompt on myaccount.microsoft.com allowed the attacker to pause web application pages from loading and navigate from a non-trusted zone myaccount.microsoft.com portal to the trusted zone of myapps.microsoft.com without providing an MFA token and access business data on internal applications. 

The business logic behind the decision to not enforce MFA on these internal applications is valid, as the initial MFA prompt should have been completed before being able to access the myapps.microsoft.com portal. However, this vulnerability takes advantage of a slight delay in timing and allows the attacker access to a valid SSO token before authenticating with Duo authenticator and bypasses the business logic in place to prevent access to internal applications without MFA. 

Additionally, finding a multifactor-authentication provider that functions well with all vendors and applications leveraged by a business is nearly impossible. As MFA continues to become a business standard process and procedure across domains, multi-factor authentication providers have varying levels of support with the numerous cloud applications within a business environment. These limitations provide ample targets for attackers looking to leverage this vulnerability against Entra ID subscribers who are only applying MFA requirements through conditional access policies to specific applications either due to business-requirements or lack of support with the specific multi-factor vendor. 

Remediation:

In the environments that do have the "My Profile" Enterprise application to ensure the MFA prompt is triggered at the correct time when the user navigates to the myaccount.microsoft.com portal, the tenant administrator must configure a conditional access policy to target the "My Profile" application.

In the environments that did not include “My Profile” the only method to enforce MFA on myaccount.microsoft.com is to enforce MFA on “All Cloud Applications.” Since the “My Profile” application does not appear in all environments, the misconfiguration occurs from users believing all first-party Microsoft applications are covered by the conditional access policy. 

Conclusion: 

Although basic in its implementation and execution, finding this vulnerability was a stark reminder that although complex security systems are in use across enterprises, sometimes a simple misconfiguration can lead to compromise of secure data within the environment with minimal time investment or technical knowledge. As a penetration tester, it is easy to get bogged down in the technicalities of complex exploits and the prestige that comes along with executing a complex exploit chain. But sometimes it’s good to remember that simple misconfigurations with simple exploits can cause just as much damage to an environment and it is always good to check the basics.

Find more stories like these in our Azure Pentesting eBook.

Azure Cloud Penetration Testing Stories
[post_title] => Abusing Entra ID Misconfigurations to Bypass MFA [post_excerpt] => While conducting an Entra Penetration Test, we discovered a simple misconfiguration in Entra ID that allowed us to bypass MFA. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => abusing-entra-id-misconfigurations-to-bypass-mfa [to_ping] => [pinged] => [post_modified] => 2023-11-01 14:30:11 [post_modified_gmt] => 2023-11-01 19:30:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=31386 [menu_order] => 45 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 1 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => b8f556528eb1310d316406b5954c7c56 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.

X