This blog was written by an independent guest blogger.
In March 2021, cybersecurity researcher Le Xuan Tuyen discovered a security bug in Microsoft Exchange Server. The vulnerability, dubbed ProxyToken, lets attackers bypass the authentication process to access victims’ emails and configure their mailboxes.
Normally, Exchange uses two sites, a front and back end, to authenticate users. However, its Delegated Authentication feature places the responsibility for authentication solely on the back end. ProxyToken sends an authentication request with a non-empty SecurityToken cookie to trigger this feature. Since the back end isn’t configured to handle authentication under default settings, the attacker’s requests bypass authentication altogether.
For this to work, attackers must already have an account on that Exchange server, minimizing its danger. Still, insider threats are always possible. Attackers could then use this method to attain information to form phishing attacks, which caused more than $1.7 billion in losses in 2019.
In light of this threat and others like it, here’s how companies can better secure their user authentication protocols.
Monitor user behavior
User authentication should go beyond a simple username and password. Traditional measures like this are vulnerable and can’t account for attacks like ProxyToken that bypass authentication stops. One helpful solution is to monitor user behavior.
Continuous monitoring will establish a baseline for each user’s typical behavior. With this information, companies can implement behavioral biometrics, which authenticates people based on their use patterns. Abnormal behavior, like trying to configure someone else’s inbox as ProxyToken attacks may do, will raise a red flag.
This monitoring is also a critical part of contextual permissions, a central tenet of zero-trust security. These measures go beyond traditional authentication to find and address attacks like ProxyToken.
Use multifactor authentication
Another crucial step is to enable multifactor authentication. Single authentication methods, whether they be a password or something else, are vulnerable to attacks like ProxyToken. Using more than one method ensures that if an attacker gets past one barrier, they still can’t infiltrate the system.
Microsoft itself emphasizes that MFA can stop 99.9% of account compromise attacks, which ProxyToken may start as. In addition to being highly effective, MFA is also cost-free and easy to implement, making it an ideal security measure.
Restrict authorization
Authentication and authorization are not the same, and remembering that is critical to avoiding threats like ProxyToken. An attacker may use ProxyToken or a similar method to bypass authentication, but tighter controls can still mitigate damage.
As a refresher, authentication determines if users are who they say while authorizing handles permissions. Restricted authorization protocols like least-privilege access controls limit the authorization any one user has. As a result, an attacker that bypasses the authentication stage will still have limited access, minimizing their potential for destruction.
Keep software updated
Although it may seem obvious, businesses should also remember to keep their software as up to date as possible. Researchers discovered ProxyToken in March, and Microsoft had patched the vulnerability by July. A simple software update will keep Exchange servers safe from these attacks.
While software updates may not seem like a critical issue, many organizations fall behind in this area, leaving them vulnerable. Almost one-third of global businesses have suffered a data breach due to an unpatched vulnerability. It stands to reason that enabling automatic updates and monitoring for vulnerabilities will prevent a considerable amount of cyberattacks.
Secure authentication protocols are essential
Cybercriminals are always finding new methods like ProxyToken to bypass businesses’ security systems. As these threats rise, organizations must take a more proactive approach to security, including stronger authentication protocols.
User authentication must go beyond a simple username and password. Cybercriminals today are sophisticated, requiring multistage methods like MFA and continuous monitoring to stop them. If businesses can tighten their authentication and authorization controls, they can eliminate many of the threats they face.
