Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
2
Helpful
3
Replies

O365, AD Conditional Access, Phishing with fake sign in

lkeyes1
Level 1
Level 1

‎09-02-2021 08:58 AM

Was alarmed to read the following, which describes a fake o365 login page whereby the user puts in their credentials on the fake page.

We are using AD conditional access for MFA with DUO for our Office 365 logins. Since the o365 access is automatically redirected to the DUO login page, is it possible that MFA could be bypassed and that the user credentials would be captured by the criminal in this case?

Labels:
3 Replies 3

adam.palmer
Level 1
Level 1

‎09-03-2021 07:45 AM

If you are using the Conditional Access method to protect Office 365 with Duo, then there is no Duo page redirect. The process is user types in email, clicks next, is sent to the Microsoft password reception page which you can / may have branded, and then when click submit it prompts the user for a Duo prompt.

To the concerns raised in the article, yes, this attack is entirely still possible with MFA enabled.

0 Helpful

lkeyes1
Level 1
Level 1

‎09-03-2021 08:41 AM

Hi, @adam.palmer : With our conditional access… you do indeed go to the Microsoft password reception page… put in your name and password… however at that point the page goes to xxxxxxxx.duosecurity.com which gives you the option of Send Me a Push, Call Me or Enter a Passcode. … I’d call that a redirect… from the o365 login page to the duo page… my question was whether that constituted a vulnerability… could some bad actor intercept that redirection, put up a bogus DUO MFA page perhaps…

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to lkeyes1

‎09-07-2021 06:01 AM

Duo integrations that support the new Universal Prompt (like Duo’s custom control for Azure AD) protect against the scenario you describe (a bogus Duo MFA page) by using OIDC standards-based authorization, signed by the unique application info, with a redirect to a page hosted in our own domain. Even if that redirect was intercepted and someone created a fake hosted Duo MFA prompt, it would not provide valid authorization for the auth success.

For applications not yet updated to the OIDC authorization flow, that still show Duo’s traditional prompt in an iframe on a page hosted at the application (not a redirect to a page hosted by Duo, we recommend configuring a list of hosts allowed to show the prompt in the Duo application’s properties to protect against this.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents