Is MS number-matching MFA still amenable to bypass in this scenario?
On August 2, 2023, the Microsoft security blog presented this scenario, in which the protection normally afforded by number-matching MFA on MS Authenticator can be thwarted:
In this activity, Midnight Blizzard either has obtained valid account credentials for the users they are targeting, or they are targeting users with passwordless authentication configured on their account – both of which require the user to enter a code that is displayed during the authentication flow into the prompt on the Microsoft Authenticator app on their mobile device.
After attempting to authenticate to an account where this form of MFA is required, the actor is presented with a code that the user would need to enter in their authenticator app. The user receives the prompt for code entry on their device. The actor then sends a message to the targeted user over Microsoft Teams eliciting the user to enter the code into the prompt on their device.
Is this fake-out of MFA still possible, when relying only on password plus number-matching MFA from MS Authenticator?
