Cybersecurity researchers have uncovered a sophisticated technique to bypass Microsoft’s phishing-resistant multi-factor authentication (MFA) by exploiting the device code authentication flow and Primary Refresh Tokens (PRTs).

This method allows attackers to register Windows Hello for Business keys, effectively creating a persistent backdoor even in environments with strict MFA policies.

The technique was initially developed for an internal “EntraIDiots” Capture The Flag (CTF) competition, where participants had to overcome a challenge that only permitted access using phishing-resistant MFA.

Researchers found they could force MFA during authentication by manipulating request parameters, regardless of existing security policies.

“After a quick test our assumption was correct!” the researchers noted, referring to their discovery that the “amr_values=ngcmfa” parameter could force users to perform MFA during authentication flows.

How the Attack Works

The attack leverages device code phishing combined with an adversary-in-the-middle (AiTM) approach. It begins when a victim visits a malicious page that retrieves Microsoft’s login interface using a specially crafted URL containing specific parameters:

• The Authentication Broker client ID (29d9ed98-a469-4536-ade2-f981bc1d605e)
• A resource URL pointing to Microsoft’s enrollment service
• The critical “amr_values=ngcmfa” parameter that forces MFA
• A specific redirect URI (ms-appx-web://Microsoft.AAD.BrokerPlugin)

When users complete authentication (including MFA), attackers obtain authorization codes that can be exchanged for access and refresh tokens. With these tokens, attackers can:

1. Register a new device in Entra ID
2. Request a Primary Refresh Token for that device
3. Enrich the PRT with the ngcmfa claim
4. Register a Windows Hello For Business key
5. Acquire a new PRT using the registered device and WHFB key

Stealth Implications

This attack is particularly concerning because it’s difficult to detect. “From a user perspective it’s quite difficult to detect that a new WHFB key was added,” the researchers explained. The compromised authentication method doesn’t appear in the user’s account page that lists other authentication methods.

Detecting these malicious keys is challenging even for administrators. Microsoft’s design prevents administrators from viewing their own authentication methods in Entra ID, requiring another admin to check for suspicious activity.

The researchers outlined several prevention strategies:

• Enforcing phishing-resistant MFA for all users
• Implementing AiTM mitigation to warn users and alert administrators
• Disallowing device registration in Entra ID
• Enforcing device compliance policies
• Blocking or limiting the device code flow

However, detection remains problematic. Due to limitations in Entra ID’s audit logging capabilities, the research team encountered difficulties correlating interactive sign-ins with device creation or WHFB key registration.

This technique builds upon previous work by security researcher Dirk-jan Mollema, who demonstrated similar PRT phishing attacks in 2023. The current advancement focuses on reliably forcing MFA during authentication, making it possible to execute the full attack chain against environments with stringent security policies.

As organizations increasingly rely on passwordless authentication methods like Windows Hello, this research highlights the importance of a defense-in-depth approach rather than depending solely on phishing-resistant MFA.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.