Microsoft’s Identity Security Trends & Remedies for 2023

Let’s examine the current identity security trends, suggest possible actions, and outline Microsoft’s role in assisting you. One of the topics discussed among the Microsoft team is referred to as “shiny object syndrome.” This encompasses a vast range of groundbreaking and concerning attacks and research. As much as we hate to admit it, every juicy headline has a way of luring us into the “but what about…” trap, where we’re left brainstorming ways to handle the latest scandalous scoop. By constantly flip-flopping on our approach, our defense projects run the risk of never seeing the light of completion, making us vulnerable to both outdated and innovative threats.

Don’t freak out when attackers strike with new tactics. Take ransomware attacks, for example. They’re famous for work stoppages and huge ransoms – scary stuff! But wait, recent studies by Expert Insights tell us that, more often than not, it’s an identity compromise that sets the stage for these attacks. In fact, novel techniques we see dominating headlines rely on compromising identity first! That’s why getting our identity basics right is so important – it’s the key to keeping our eyes trained on the ball!

Get ready to ride the waves of identity attacks with Pamela Dingle’s keynote at Authenticate 2022! In it, she introduces us to a whole new way of thinking about these threats—by likening them to waves. And let me tell you, the insights are mind-blowing. But don’t just take my word for it, check out her recap on LinkedIn (seriously, read it). The gist is this: as identity attacks become more sophisticated and novel, they also decrease in volume. It’s like navigating the perilous seas of cyberspace with Pam as your guide. Hang ten!

Buckle up, folks! This killer framework for tackling attacks is about to get even better. Tossing in a game-changing threat, we’re going to flex our posture agility muscles and ride that “rogue wave” like pros. So pay attention – this strategic approach will help you weather any storm you’re currently facing, while also keeping you ahead of emerging threats with savvy investments. Are you ready to dive in? Let’s do this!

Top 3 Attacks on Passwords

Did you know that Microsoft fends off over 1,000 password attacks per second? Crazy, right? But here’s the kicker: less than 0.1% of compromised accounts have multifactor authentication enabled. That’s like leaving your front door wide open for any thief to just waltz right in! And we’ve been preaching about this for six years now! We’ve even made it so easy with Microsoft Azure Active Directory and our nifty little app called Microsoft Authenticator. But alas, only a measly 28% of users have taken advantage of it. Come on, people! It’s time to step up our game and protect ourselves from those sneaky attackers who are just waiting for us to slip up. Sure, we all have tight budgets and limited resources, but let’s stop getting distracted by every shiny object and focus on closing these security gaps once and for all.

Simple password attacks are commonly occurring. They are closely intertwined with our everyday lives. Here are the three top attacks on passwords.

  • Password Spraying Attacks are where hackers guess common passwords against multiple accounts. This method is known as a brute force attack, in which a hacker attempts various combinations of usernames and commonly used passwords on an authentication server. It is a common practice among attackers to utilize lists of frequently used passwords found on the internet. This type of attack has a distinct quality that enables hackers to bypass typical security measures. It is frequently used against organizations with easily predicted usernames, such as
  • Phishing Attacks are a way hackers try to dupe you into giving them your sensitive information.  Hackers falsify information to look legitimate, via email (this can also happen via phone call or text message.)  They disguise their nefarious emails to look like legitimate ones with the goal of obtaining your username and password.  They disguise fake emails that appear to come from a trustworthy source and there’s often a sense of urgency in the message.  The goal is too trick you to provide your username and password to your online accounts.  This could be banking information, online shopping sites, even applications you use at work.  After the attackers get your information, they have access to your online accounts and personal data, they can get permissions to modify and compromise other associated sites and systems.
  • Breach Replay Attacks refer to the interception and fraudulent delay or resending of secure network communication by cybercriminal to manipulate the recipient into following their desired outcome. One of the risks of replay attacks is that capturing a message from the network enables a hacker to decrypt it, without requiring advanced skills. Repeating the entire thing could result in a successful attack.

Multifactor Authentication Attacks

Using multifactor authentication is crucial for a healthy ecosystem, and it’s time to start requiring it for all users. Forget clunky old-fashioned methods that involve copying codes and getting multiple prompts. With modern multifactor authentication, using apps, tokens, or device verification is super easy and even invisible to users. Plus, the best part? Unlike the old-school approach, there’s no need to buy and deploy anything extra – modern multifactor authentication comes included in all SKUs! And because it’s deeply integrated into Azure AD, there’s no extra management required either.

If you are one of those who have upped your security with multifactor authentication, congratulations! You’re one step closer to protecting yourself from identity attacks. Did you know that 28% of users who have turned on this feature are now the envy of cyber attackers everywhere. In order to get to these lucky few, attackers would have to break down the fortress that is multifactor authentication itself – a feat not easily achieved!

Here are examples of multifactor authentications attacks:

  • SIM-jacking is a form of identity theft that specifically aims at stealing your phone number. SIM jacking is a technique that attackers can use to obtain access to your cellphone account and retrieve your personal information, such as text messages, contacts, and financial accounts. They can also use it to make calls and send text messages in your name. In case your phone number is linked to your bank account, hackers can circumvent Multi-Factor Authentication (MFA) and reset your password to get into your financial accounts. Additionally, they may use your phone number to create new accounts on your behalf, such as email or social media accounts. SIM jacking is a newly emerging phenomenon that is progressively becoming widespread as the world shifts toward more online interactions. This threat isn’t limited to high-status people or celebrities – anyone with a mobile number could potentially fall victim to a SIM jack.
  • MFA Fatigue Attacks rely on simple user approvals of voice, SMS or push notifications. Users don’t need context of the session they’re authenticating for these approvals. This type of authentication is done through “click to approve” or “enter your PIN to approve”. Studies show that only 1% of users will accept a simple approval request on the first try. To prevent these attacks, information must be entered from the login screen with more context and protection. These attacks are increasing and push notifications, voice approvals and SMS are the main culprits.
  • Adversary-in-the-middle (AitM) Attacks involve deceiving users into performing the necessary multifactor authentication step. Therefore, it is crucial to implement phishing-resistant authentication, particularly for vital assets. In this type of cyberattack, also known as man-in-the-middle (MitM), the perpetrator places themselves between two parties in a conversation, intercepting all communications. Unlike traditional phishing setups, AitM phishing does not require a custom-built site but proxies requests to and from the genuine website.

The attacks mentioned require greater effort and investment from attackers, resulting in detection of tens of thousands per month rather than thousands per second. As multifactor authentication coverage expands, the trend of increasing attacks is expected to continue.

Using the right multifactor authentication is essential in defeating attacks. We suggest Authenticator, Windows Hello, and FIDO. Certificate-based authentication (CBA) is also a good solution for organizations with existing PIV and CAC infrastructure, as it is resistant to phishing and compliant with executive orders. These methods are also easier to use than passwords or telephony-based multifactor authentication.

Post Authentication Attacks

Attackers are using malware to steal tokens from devices. This allows them to use tokens and cookies elsewhere even if a valid user performs valid multifactor authentication on a valid machine. This method has been used in recent high-profile attacks and is on the rise. Most often, tokens are stolen by malware on machines. If a user runs as an admin, token theft is just one click away. Core Zero Trust principles like effective endpoint protection, device management, and using least privileged access can defend against this threat. Important scenarios such as machine enrollment should require re-authentication when signals indicate potential token theft.

OAuth consent phishing is a type of bypass attack. It involves tricking a user into giving an app permission to access on their behalf. Attackers accomplish this by sending the user a link asking for consent (“consenting phishing”). The app can then access the user’s data even if they are not present. These attacks are rare, but they are becoming more common. To ensure security, it is important to inspect apps that users are consenting to and restrict consent to applications from verified publishers.

Infrastructure compromise

As organizations improve their use of identity for security and implement Zero Trust policies, attackers are targeting the identity infrastructure. These attackers exploit vulnerabilities in outdated or insecure on-premises networks to steal confidential information, compromise federation servers or undermine the infrastructure that is relied upon. This type of attack can be difficult to detect as attackers often gain access and attempt to conceal their actions. Once the access control has been lost, it may be challenging to remove the attacker effectively.

Our focus is to improve hybrid and multi-cloud detections and develop automated protection against attacks on identity infrastructure. As on-premises deployments are challenging to protect from malware, lateral movement, and new threats, reducing dependencies on them is recommended, with a shift towards cloud authority where possible. Additionally, it’s important to isolate your cloud infrastructure from your on-premises environment. Working closely with your security operations center (SOC) is critical in securing privileged identity administrators and on-premises servers. It’s essential to secure not only user identities but also non-human identities and the infrastructure responsible for managing them since sophisticated adversaries search for any security gaps.

The rogue wave: Attack velocity and intensity

Microsoft’s team handles numerous significant cases each year, and we often see the challenge of keeping up with growing attack volumes and intensity. Organizations face a daunting task due to tight budgets, limited resources, hiring difficulties, and political pressure when trying to keep up with attackers who continuously innovate. Even thinking about security is not enough in today’s environment. Our consumer accounts, such as those for or Xbox, are far less likely to be hacked than enterprise accounts because they have managed multifactor authentication policies and risk mitigations. These capabilities are available to organizations too but can be costly to manage effectively.

Microsoft’s team’s primary objective is to minimize costs associated with identity attacks, while also drastically reducing the investments required for enhanced security. We have invested in various strategies towards this goal, such as analyzing Conditional Access gaps, modifying Authenticator to combat evolving multifactor authentication fatigue attacks, continuously expanding our threat detection capabilities, and implementing our security defaults program. Our unwavering commitment lies in safeguarding users, organizations, and systems against unauthorized access and fraudulent activities related to identity management. We recognize the importance of helping organizations establish their security measures effectively and cost-efficiently.

When investing in identity security, it is recommended to also invest in automated responses to common threats, such as auto-blocking or requiring password changes. Utilize tools like Authenticator that can adapt to new threats and consider transferring authority to the cloud where detections and mitigations are agile. It’s important to remain alert for indications of risk from machine learning systems.

Fair winds and following seas in 2023

For further information on safeguarding your organization, we recommend reading Joy Chik’s blog titled “Microsoft Entra: 5 Identity Priorities for 2023.” To explore a comprehensive security solution that covers identity and access management, extended detection and response, as well as security information and event management, please visit the Microsoft Entra page. The page also provides information on the family of multi-cloud identity and security products such as Microsoft Defender for Identity and Microsoft Sentinel, which can help shield your organization.

For further information on Microsoft Security solutions, please visit Microsoft’s website. To stay informed about security-related topics, add the Security blog to your bookmarks and follow us at @MSFTSecurity for the most recent cybersecurity news and updates.