Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Threat Update 68 - Box MFA Bypass and the Need for Defense in Depth

Multi-Factor Authentication (MFA) is a critical security control in the increasingly cloud-first world, but like all software, there can be vulnerabilities.
Kilian Englert
1 min read
Last updated February 11, 2022

Contents

    Multi-Factor Authentication (MFA) is a critical security control in the increasingly cloud-first world, but like all software, there can be vulnerabilities. The Varonis Threat Research team discovered, and responsibly disclosed, a vulnerability in Box's implementation of MFA which could have allowed an attacker to gain unauthorized access to a Box environment.

    Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team use the Varonis threat research as a jumping-off point to discuss cloud defense-in-depth strategy, and layered security controls can help mitigate damage from the next inevitable vulnerability.

    To learn more about the MFA bypass threat research, please visit:
    https://www.varonis.com/blog/box-mfa-bypass-totp/

    Watch Varonis threat researcher Kody Kinzie demonstrates how an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data *without* providing a one-time password.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
    Kilian Englert
    Kilian Englert Kilian has a background in enterprise security engineering, as well as security solution selling. Kilian is a Certified Information Systems Security Professional (CISSP) and creates internal and public content on topics related to cybersecurity and technology best practices.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    last-week-in-microsoft-teams:-week-of-december-14th
    Last Week in Microsoft Teams: Week of December 14th
    last-week-in-microsoft-teams:-week-of-december-14th
    Jeff Brown
    December 14, 2020
    This week’s review covers Teams getting Breakout Rooms, enabling the new Public Preview feature for users, and how to host a holiday party in Microsoft Teams.
    last-week-in-microsoft-teams:-week-of-february-1st
    Last Week in Microsoft Teams: Week of February 1st
    last-week-in-microsoft-teams:-week-of-february-1st
    Jeff Brown
    February 2, 2021
    This week’s review covers Microsoft monthly Teams roundup, new security and DLP options, sharing content from Outlook to Teams, and resetting a Surface Hub 2S.
    last-week-in-microsoft-teams:-week-of-march-1st
    Last Week in Microsoft Teams: Week of March 1st
    last-week-in-microsoft-teams:-week-of-march-1st
    Jeff Brown
    March 3, 2021
    This week’s review covers new Teams Panel devices, what to expect for Ignite 2021 Spring edition, and an upcoming in-person Teams community conference.
    last-week-in-microsoft-teams:-week-of-october-26th
    Last Week in Microsoft Teams: Week of October 26th
    last-week-in-microsoft-teams:-week-of-october-26th
    Jeff Brown
    October 26, 2020
    This week’s review covers the ability to import messages to Teams, a Teams-centered phishing attack, and tips for Teams meetings for teachers.