by Jason Downey

The Condition

In the first entry of The Aftermath Blog Series, I was able to social engineer a set of domain credentials. In this entry, we’ll discuss how I gained access to the network despite multifactor authentication (MFA) being in use.

What Had Happened Was…

Nothing kills a penetration tester’s excitement faster than knowing you have valid credentials that you can’t use because of a security control. This client had MFA set up everywhere—Microsoft 365, their VPN, and any other login portal I found. They were using Microsoft Authenticator, configured to display numbers for the user to enter instead of just approving or denying a request.

Look, I get that it makes me evil, but I have no problem MFA bombing someone at 2 AM to make them give me access. However, having to enter numbers killed that vector. Back to the drawing board.

I started using a Firefox add-on to change my User-Agent, making my traffic appear as if it was coming from different systems. While a Windows, macOS, Android, or iOS User-Agent always triggered an MFA prompt, I found that setting my User-Agent to Linux allowed me to bypass MFA entirely—granting me access to my client’s environment.

The Disclosure…

In most organizations, the security team and IT team have different goals. IT focuses on uptime, accessibility, and speed, while security is all about protecting users.

In this case, the client’s IT team had correctly configured conditional access policies for all devices they deployed to employees—but since no one used Linux as a daily driver, they neglected to apply a policy requiring MFA for Linux logins. This oversight granted me access without having to complete the MFA process.

The Impact…

The lack of conditional access policies allowed me to bypass their MFA process entirely. This granted me access to a portal with a Virtual Desktop Infrastructure (VDI) session inside their network.

Now, lets see how that leads to the next installment, The Simple Stuff


About Jason Downey, Security Consultant 

Jason Downey has over ten years of professional experience in IT and information security ranging in a variety of roles in network security roles with additional experience in systems administration. Jason has spoken in front of various audiences ranging from youth initiatives to major security conferences, while creating informational content on SiegeCasts and forward-facing marketing channels. Jason excels at a variety of penetration testing tactics and is well known for his vishing and social engineering expertise.

Certifications:
CRTO, GPEN, GCIH, CCNA R&S, CCNA Security, CEH, CHFI

Authentication vs. Authorization in Web App Penetration Testing

By Red Siege | June 4, 2025

by Douglas Berdeaux Introduction Authentication and Authorization in web application penetration testing are so closely related, that it’s easy to confuse the two. This article aims to outline each process, […]

Learn More

Authentication vs. Authorization in Web App Penetration Testing

The Aftermath Part 4: The Vendor Requirement

By Red Siege | June 2, 2025

by Jason Downey The Vendor Requirement The final entry in The Aftermath blog series. At this point, I had successfully social engineered credentials, bypassed multifactor authentication, and established command and […]

Learn More

The Aftermath Part 4: The Vendor Requirement

The Aftermath Part 3: The Simple Stuff

By Red Siege | June 2, 2025

by Jason Downey The Simple Stuff So far in The Aftermath Blog Series, I had social engineered credentials, bypassed MFA, and gained access to a VDI environment. In this entry, […]

Learn More

The Aftermath Part 3: The Simple Stuff

Find Out What’s Next

Stay in the loop with our upcoming events.