99% of compromised Microsoft enterprise accounts lack MFA

Cybercriminals compromise 0.5% of all Microsoft enterprise accounts every month because too few customers are using multi-factor authentication (MFA), the company has revealed.

In a presentation uploaded to YouTube from the recent RSA Security Conference, director of Identity Security Alex Weinert said 1.2 million accounts were compromised in January 2020 alone.

Of those compromised accounts, 99.9% were not using MFA.

Accounts lacking MFA had two characteristics: the use of legacy protocols and a tendency by users to reuse passwords.

The problem with legacy protocols – POP, SMTP, IMAP, and XML-Auth – is that they don’t offer a mechanism to include an MFA challenge or device verification, which made passwords a single point of failure.

During January, about 40% (480,000) of the compromised accounts had fallen foul to some pretty simple password spraying where attackers try to login to large numbers of accounts using a small collection of statistically likely passwords.

According to Weinert, 99% of password spray attacks targeted legacy protocols. Although only 0.5% of accounts were compromised each month, the probability of this happening rose to 7.2% for SMTP, and 4.3 for IMAP.

The second problem was password re-use, which allowed attackers to reuse credentials stolen from one site on multiple sites in the hope of finding a match, the so-called replay attack. Weinert said:

Don’t be confused. People do re-use their enterprise accounts in non-enterprise environments.

The solution to these problems should be turning off legacy protocols and mandating MFA in its place. And yet when the decision was made to turn off legacy protocol support within Microsoft in 2018, the company’s helpdesk was flooded with calls in the middle of the night as the sales platform went down.

The culprit? An old telesales application tied to a single account using legacy authentication.

Coincidentally, the following month, Microsoft’s MFA for Office 365 and Azure Active Directory went down twice in a week, leaving many customers around the world using unable to log on.

It’s an anecdote that explains the size of the problem – even Microsoft is struggling to wean itself from the past.

What to do

There are three simple steps to securing any online account:

Pick strong passwords. Watch our video to find out how to come up with a brute:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

Turn on 2FA or MFA. If a website gives you the option of using two-factor authentication (2FA or MFA), take them up on it. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:


(Audio player above not working? Download MP3 or listen on Soundcloud.)

Use a password manager. We know they’re not perfect, but we still highly recommend using one: they can generate strong, unique passwords for each site, and the store and auto-fill them so you have no excuse to re-use any password.

Latest podcast – special episode


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.