Cyber: Where Multi-factor Authentication Stops And Credential Abuse Starts

Organizations typically roll out multi-factor authentication (MFA) and assume stolen passwords are no longer enough to access systems. In Windows environments, that assumption is often wrong. Attackers still compromise networks every day using valid credentials. The issue is not MFA itself, but coverage.

Enforced through an identity provider (IdP) such as Microsoft Entra ID, Okta, or Google Workspace, MFA works well for cloud apps and federated sign-ins. But many Windows logons rely solely on Active Directory (AD) authentication paths that never trigger MFA prompts. To reduce credential-based compromise, security teams need to understand where Windows authentication happens outside their identity stack.

When a user signs in directly to a Windows workstation or server, authentication is typically handled by AD (via Kerberos or NTLM), not by a cloud IdP.

In hybrid environments, even if Entra ID enforces MFA for cloud apps, traditional Windows logons to domain-joined systems are validated by on-prem domain controllers. Unless Windows Hello for Business, smart cards, or another integrated MFA mechanism is implemented, there’s no additional factor in that flow.

If an attacker obtains a user’s password (or NTLM hash), they can authenticate to a domain-joined machine without triggering the MFA policies that protect software-as-a-service apps or federated single sign-on. From the domain controller’s perspective, this is a standard authentication request.

Tools like Specops Secure Access are key to limiting the risk of credential abuse in these scenarios. By enforcing MFA for Windows logon, as well as for VPN and Remote Desktop Protocol (RDP) connections, this tool makes it harder for attackers to gain unauthorized access to your network. This even extends to offline logins, which are secured with one-time passcode authentication.

RDP is one of the most targeted access methods in Windows environments. Even when RDP is not exposed to the internet, attackers often reach it through lateral movement after initial compromise. A direct RDP session to a server doesn’t automatically pass through cloud-based MFA controls, which means the logon may rely solely on the underlying AD credential.

NTLM is a legacy authentication protocol that, despite being deprecated in favor of the more secure Kerberos protocol, still exists for compatibility reasons. It is also a common attack vector because it supports techniques like pass-the-hash.

In pass-the-hash attacks, the attac

Source: The Hacker News