More than 99.9 percent of Microsoft enterprise accounts that get invaded by attackers didn’t use multi-factor authentication (MFA). This stark, though not entirely surprising, finding comes from a presentation that Alex Weinert, the tech giant’s Director of Identity Security, delivered at the RSA 2020 security conference in San Francisco in late February. Overall, only 11 percent of Microsoft enterprise accounts had MFA enabled.
According to Microsoft, an average of 0.5 percent of all accounts is breached every month; in January of this year, this was equivalent to more than 1.2 million accounts. “If you have an organization of 10,000 users, 50 of them are going to be compromised this month,” said Weinert.
The break-ins were facilitated by two factors. First, it was the lack of MFA deployment in applications using old email protocols that don’t support MFA, such as SMTP, IMAP and POP. The second factor involved people’s poor password hygiene, specifically their penchant for extremely simple passwords and for reusing their passwords across multiple accounts, both company and private.
RELATED READING: 2FA: Double down on your security
Around 480,000 compromised accounts, which represents some 40 percent of the total, fell victim to password spraying. Using this automated method, attackers test some of the most commonly used passwords to see if they work for breaking into large numbers of other accounts.
And work they do, with Weinert noting that password spraying attacks opened the door to 1 percent of the accounts against which they were deployed in January. On average, attackers would try around 15 passwords.
Roughly the same number of accounts fell victim to password replay attacks, also known as breach replay attacks. In these cases, ne’er-do-wells leverage lists of credentials spilled in data incidents and try out the same login combinations at other services.
Almost all password spraying and password replay attacks took aim at common legacy authentication protocols – 99.7 percent and 97 percent, respectively. The probability of a compromise surged to 7.2 percent if SMTP was enabled, to 4.3 percent for IMAP, and to 1.6 percent for POP.
What are the easiest fixes? You guessed it – choosing strong and unique passphrases, enabling MFA (also commonly known as two-factor authentication), and disabling legacy protocols. According to Microsoft, the latter measure slashes the likelihood of an account takeover by two thirds.