惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LangChain Blog
月光博客
月光博客
S
SegmentFault 最新的问题
博客园 - 三生石上(FineUI控件)
Last Week in AI
Last Week in AI
J
Java Code Geeks
酷 壳 – CoolShell
酷 壳 – CoolShell
TaoSecurity Blog
TaoSecurity Blog
V
Visual Studio Blog
博客园 - 叶小钗
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
罗磊的独立博客
雷峰网
雷峰网
T
Tor Project blog
L
LINUX DO - 最新话题
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
Apple Machine Learning Research
Apple Machine Learning Research
Scott Helme
Scott Helme
Spread Privacy
Spread Privacy
C
CERT Recently Published Vulnerability Notes
腾讯CDC
Cloudbric
Cloudbric
WordPress大学
WordPress大学
Security Archives - TechRepublic
Security Archives - TechRepublic
V
V2EX
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
N
News and Events Feed by Topic
T
Troy Hunt's Blog
T
Threatpost
C
Check Point Blog
Vercel News
Vercel News
I
Intezer
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
D
DataBreaches.Net
SecWiki News
SecWiki News
Help Net Security
Help Net Security
Microsoft Azure Blog
Microsoft Azure Blog
Google DeepMind News
Google DeepMind News
S
Secure Thoughts
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
Hacker News: Ask HN
Hacker News: Ask HN
AI
AI
N
News and Events Feed by Topic
阮一峰的网络日志
阮一峰的网络日志
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff Cross-Tenant Impersonation: Prevention and Detection BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP
Just How Risky is Legacy Authentication?
Brett Winterford · 2022-01-27 · via Okta Security RSS Feed

Does your organization still allow users to authenticate to Office 365 or other Microsoft services using only a username and password?

If you do, you’re 53x more likely to be targeted in credential-based attacks. (No, not 53% more likely. It’s 53 times more likely).

Many organizations (at least one in ten Microsoft customers, as of October 2021) still allow access to the M365 cloud using what Microsoft calls “Legacy Authentication”. In these requests, the client forwards the username and password with the request to the cloud service provider during sign-in. There’s no OAuth2 compatibility, which means no opportunity to apply multi-factor authentication or the rich variety of access policies designed to protect users from common credential-based attacks.

Accounts using legacy authentication are easy pickings for attackers. Billions of stolen usernames and passwords from previous breaches are freely available on online forums (and routinely refreshed for a fee). The “point and shoot” tools to re-purpose them in credential stuffing attacks are cheap and easy to source.

Credential stuffing is a reliable form of attack because the best of us - even when we know we shouldn’t - reuse passwords across different services.

The tools used in credential stuffing and password spray attacks are in the armoury of every category of attacker, and it isn't limited to those motivated by profit.

In April 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that SVR, an agency of Russia’s Foreign Intelligence Services, has been targeting M365 accounts with legacy authentication enabled using “low and slow” password spray attacks since at least 2018.

Compromised victims had:

“enabled logins using legacy single-factor authentication on devices which did not support multi-factor authentication."

The FBI noted that this was:

“achieved by spoofing user agent strings to appear to be older versions of mail clients, including Apple’s mail client and old versions of Microsoft Outlook.”

In July 2021, Microsoft warned its customers that attackers linked to the Islamic Republic of Iran compromised ~20 organizations in credential stuffing attacks, again by targeting Office365 tenants that allow legacy authentication. Alarmingly, these attackers appeared to have hit a success rate close to 15% (cybercrime groups are known to profit at success rates far lower than 1%).

So this year, when I was asked to provide some observations about the threat landscape for Okta’s annual Businesses At Work report, I recommended they focus on this well-known risk that continues to go unaddressed in too many places.

My colleague Matt Shancer calculated how often Okta ThreatInsight flagged legacy authentication requests as suspicious, and compared that to requests made using modern authentication.

ThreatInsight, for those unfamiliar, is Okta’s native capability for detecting high-volume credential-based attacks. Customers can configure ThreatInsight to block these requests before the attacker gets the chance to authenticate.

The results were emphatic. ThreatInsight detections fire far more often on requests made to M365 using legacy authentication. Adversaries specializing in high volume, credential-based attacks (“account checking” services, so to speak) are targeting these services.

This is only one measure of how often these services are targeted. We can confidently say that there is a material reduction in risk available to organizations that disable legacy authentication: while the numbers vary by industry, we found that the average reduction in the ratio of detected threats to legitimate authentications exceeds 99%.

This reduction in risk is amplified when you add the protection multifactor authentication and risk-based access policies offer your users. Academic studies have demonstrated that risk-aware MFA blocks 99.9% of automated, credential-based attacks.

So if you’re looking to prioritise security projects proven to reduce the risk of compromise, this is an obvious one. Microsoft has (again) set a new date for when it intends to disable legacy authentication to Office 365: October 1, 2022. Every customer of Microsoft cloud services should be assessing their exposure to legacy authentication over the weeks ahead. This requires making sure modern authentication is enabled AND that legacy authentication is disabled.

This post is the second in a three-part series. See our first post, "Auditing your Org for Legacy Authentication"

Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.