It's all too easy to get a false sense of security. Unfortunately, two factor authentication does not provide immunity from getting hacked.
You are probably familiar with phishing emails which try to trick you into revealing your credentials. Two factor or multi-factor authentication was touted as a means of protecting these credentials. Even if an attacker managed to get your username and password, they still couldn't use it to access your account without the "second factor".
But did you know that the same email phishing technique can be used to gain access to your account without even compromising your username and password? Before delving into how this is achieved, I first need to introduce a technology called OAuth.
OAuth is a protocol used by third party applications to gain access to a cloud-based account. OAuth is used by all the big tech services, including those of Microsoft and Google. Instead of using a username and password, OAuth uses a "token" which gives it access to an account.
OAuth Attack: One Click and You're Compromised!
An OAuth phishing attack works as follows. Firstly, an attacker creates a malicous application for a cloud platform. By hosting the application on a cloud platform such as Microsoft 365, the hacker creates a sense of legitimacy to their application. The attacker then sends a link to the victim via a carefully crafted phishing email. When the victim clicks on the link, they are presented with a "consent page" hosted by the cloud platform. In the case of Microsoft 365, the consent page would show the name of the application (which is specified by the attacker) and what information it wants access to. For the attack to be successful, all the victim needs to do is click on the accept button. The attacker then gains access to your data, forever. The attacker still has access even if you change your password or two factor authentication. You can revoke access to the application, but this is a manual process.
So what can you do to protect yourself? There are some steps that IT administators can take to help mitigate the malicious use of OAuth. But these steps don't happen automatically. There are also tools which can be used to detect existing OAuth attacks.
Cloud security is complex and you should not go it alone. It's easy to think that your cloud vendor will manage security on your behalf, but this is not the case. Cloud vendors merely provide platforms and frameworks. You are responsible for securing your data. Unfortunately, too many organisations are leaving security in the hands of their cloud vendors and this creates a critical security risk.