Skip to main content

Malicious MFA Takeover

This technique is pretty simple as it only consists in "backdooring" user accounts that don't have MFA set up; if an attacker controls one of these accounts it's possible to register new devices under that user's account.

A simple way to get the MFA status of user accounts in a tenant is to use this script. Once we find a user account with no MFA set up we can spray credentials on that account and if we get access we are able to register our own device as a MFA trusted device and gain persistence as that user.