O365, AD Conditional Access, Phishing with fake sign in

Was alarmed to read the following, which describes a fake o365 login page whereby the user puts in their credentials on the fake page.

We are using AD conditional access for MFA with DUO for our Office 365 logins. Since the o365 access is automatically redirected to the DUO login page, is it possible that MFA could be bypassed and that the user credentials would be captured by the criminal in this case?

1 Like

If you are using the Conditional Access method to protect Office 365 with Duo, then there is no Duo page redirect. The process is user types in email, clicks next, is sent to the Microsoft password reception page which you can / may have branded, and then when click submit it prompts the user for a Duo prompt.

To the concerns raised in the article, yes, this attack is entirely still possible with MFA enabled.

Hi, @adam.palmer : With our conditional access… you do indeed go to the Microsoft password reception page… put in your name and password… however at that point the page goes to xxxxxxxx.duosecurity.com which gives you the option of Send Me a Push, Call Me or Enter a Passcode. … I’d call that a redirect… from the o365 login page to the duo page… my question was whether that constituted a vulnerability… could some bad actor intercept that redirection, put up a bogus DUO MFA page perhaps…

Duo integrations that support the new Universal Prompt (like Duo’s custom control for Azure AD) protect against the scenario you describe (a bogus Duo MFA page) by using OIDC standards-based authorization, signed by the unique application info, with a redirect to a page hosted in our own domain. Even if that redirect was intercepted and someone created a fake hosted Duo MFA prompt, it would not provide valid authorization for the auth success.

For applications not yet updated to the OIDC authorization flow, that still show Duo’s traditional prompt in an iframe on a page hosted at the application (not a redirect to a page hosted by Duo, we recommend configuring a list of hosts allowed to show the prompt in the Duo application’s properties to protect against this.

1 Like