Let's talk about MFA, it's good, it's useful, but what's your process for resetting it? The reason I ask:

Did some telephone social engineering last week. We had a user who had left the company over a month ago, and thought they'd be a great target.

1/

We had some useful OSINT info, bosses name etc.

So I rang the helpdesk, explained I was having problems getting into my account, went through some (basic) checks, and get a password reset. Ok, nice. But MFA is enabled.....

2/

How to bypass MFA?........ I guessed that the helpdesk closed at 5.30pm.

I knew from when I worked on a helpdesk, I wanted to close the phone lines at exactly 5.30pm! And any calls going on just before 5.30, I wanted finished as soon as possible so I could go home.

3/

So I timed my call to be just before the helpdesk closed, 3 minutes before. Just enough time to get the problem solved, and quickly because they'll want to close the phone line (hopefully, it's a guess).

4/

I ring back, explain the MFA token is going to my old work phone which I no longer have, and ask how we solve this?

They ask me to confirm my old number. (I don't know it). So I pretend to look through my contacts list for my work number. This eats up time.......

5/

I think I'm right as the questions come thick and fast, they do want to go home! I say I *think* the old work phone number ended in "30".......

Bingo.....they ask for the new work number and reset the MFA sign up process.

6/

I keep them on the phone by saying I want to test it.

I do, it works. We're in. We hunt around, get more creds, this gets us further in the estate.

7/

What went wrong?

The "30" was given away by the sign in process. I enter a username, a password, and it tells me the MFA token has been sent to +44 xxx xxx xxx30

That shouldn't be enough to get an MFA reset!

8/

So, have a think about your reset process. Would it fail this test?

Could someone bypass it with very little info? Have you tested it recently?

CC: @ZephrFish

EoF/