<p>From Secure Works via NH-ISAV:</p>
<p>In July 2018, Secureworks(R) Counter Threat Unit(TM) (CTU) researchers investigated reports that attackers might be circumventing third-party multi-factor authentication (MFA) on Secureworks clients' Exchange Online email services. This MFA bypass can be achieved by targeting legacy authentication protocols exposed to the Internet. Threat actors may be able to employ these routes to access mailboxes using only a stolen username and password. </p>
<p>Many deployments of Exchange - including Exchange Online (a component of Office 365), fully hosted Exchange (provided by Microsoft or another third party), or in-house or hybrid deployments - allow users to authenticate using MFA through their organization's Identity Provider. MFA is typically enforced for Outlook Web Access (OWA) and for modern desktop and mobile applications that have been designed to support MFA. When the mail client redirects the authentication to the Identity Provider, the provider enforces the organization's authentication policy by requesting an additional authentication element such as a token.</p>
<p>Exchange can also be configured to enable services that utilize legacy authentication protocols. These protocols include Exchange ActiveSync (EAS), which allows a user to synchronize a mobile device with an Exchange mailbox, and Exchange Web Services (EWS), which allows client applications to access data on an Exchange server. Enabling MFA on these services may be possible in some cases (e.g., Microsoft provides for the use of OAuth for EWS through Azure Active Directory), but many third-party Identity Providers do not support this option. Traditionally, services like EWS are available inside the corporate network for internal applications but are not exposed to the Internet, mitigating the risk of single-factor authentication. As more organizations move to hybrid or fully hosted Exchange services in the cloud, MFA support for EWS and EAS may be overlooked. Organizations could be faced with the choice of disabling EWS and breaking legacy applications, or taking the risk of exposing single-factor services to the Internet.</p>
<p>This issue has been discussed since at least November 2016, and it is not a vulnerability in third-party Identity Provider solutions. While the documentation can sometimes be hard to find, most vendors clarify where their products do and do not enforce MFA. For example, Duo's website clearly highlights that EWS and ActiveSync endpoints are not covered.</p>
<p>CTU(TM) researchers recommend that organizations review whether there is a business need to have protocols such as EWS and EAS enabled within their organization and exposed to the Internet. If not, the protocols should be disabled or configured to block external access. If there is a business requirement, organizations should work with the relevant vendors to identify alternative methods for ensuring security over those protocols.</p>
<p>References:</p>
<p>https://docs.microsoft.com/en-us/exchange/exchange-hybrid<br>
  https://docs.microsoft.com/en-us/exchang..activesync/exchange-activesync<br>
  https://docs.microsoft.com/en-us/exchang..entication-and-ews-in-exchange<br>
  https://docs.microsoft.com/en-us/exchang..ews-application-by-using-oauth<br>
  https://www.csoonline.com/article/321640..orization-framework-works.html<br>
  https://www.blackhillsinfosec.com/bypass..authentication-on-owa-portals/<br>
  https://duo.com/docs/owa-faq<br>
  https://support.microsoft.com/en-gb/help..vesync-for-users-in-office-365</p>