MFA / Password Guessing / Automatic Limits

September 1, 2021

Scam Techniques have become more about looking for a weakness within either a users public profile, past breaches or a way into a company through the 'weakest link'.


Password guessing has become more about a weak link vs using a technical method to gain access.

- While many claim that they've been 'hacked' - this is typically nothing more than a combination of events that have allowed one to gain access simply by guessing the password.

- Changing passwords frequently only makes the problem worse, as a user usually needs to write this down and that in itself leaves a trail to gain access.

- Using the same password across services isn't in itself a problem, but if one service is breached then other accounts can become victim as well.

- There are many automatic password guessing techniques available, as well as plenty of large databases containing multiple breaches.

- Having the ability to scan a multitude of data breaches helps to build an algorithm of patterns and possible entry points.


Phishing scams have elevated as well, where an email no longer contains a link but a phone number to reach a fake support department.

- A user receives an email that they need to reach out to support for password updates or something of this nature.

- User is then provided a URL or asked directly for their password, which is then captured and become victim.


Ransomware as a Service is becoming much more common.

- Where one can purchase professional services of Ransomware Creators, specifically targeting a feature set and company.

- In turn becoming more of a business model vs random, allowing for a wider swath of targets without the requirement of development within.


Weak Links within a company is a high target area.

- This only requires manipulation of personal and no technical overhead, easy for scammer to get started.

- Looks for a way to target an individual that may have a high level of access, or pose as one that can reach a high level of access.

- With the goal of gaining access to details that allows one to better understand how the company operates.

- Once they find key contacts and data, then they're better positioned to target and look like a legit request.

- Scammers have also become more patient to learn about a company and how to target.


MFA(Multi-factor Authentication) provides multiple methods for authenticating to your account in tandem with a password.

- This can be a text, an app or other and a combination of any or all depending on settings.

- Using text for instance - one signs in to their account with a password, which then triggers a text to verify and allow login.

- If text cannot be provided then login is canceled.

- If text is provided then user proceeds as normal into the account, email...etc.


MFA very much helps stop password guessing from continuing, one can guess the password but without additional authentication login is cancelled.  Enabling MFA across all accounts and especially Admin is crucial - as general user is one thing, but an Admin can take an account out of your control.


Automatic Limits helps to prevent account abuse and causing further harm to your account and potentially blacklisting domain.

- When an email account within M365 has been guessed, there is a high probability this will be used for spamming at some point.

- If the account was used for spamming and left to continue, reputation of your domain would be tarnished as well as the provider.

- Therefore automatic limits begin to monitor unusual activity and will in turn block sending of the account when levels are out of bounds.

- Automatic limits also retract once a users activity has returned to normal for some time, this can take up to 24 hours depending on how long unusual activity was allowed.

- Sending in a request that you 'need account working ASAP'  has no effect, as limits are automatic and meant to protect you and your domain health.

- Best method is prevention in the first place with items like MFA to keep all users protected and account healthy.

- Not enabling as one feels this is too many steps to implement will fall target at some point and recovering is a longer road.

- These limits help to protect users and domains, not a guarantee so prevention is key - as removing from blacklist and such is no fun and takes much longer.


Protection features can be enabled by users for per-user MFA settings and Admins can make changes to help enable/enforce across all users when protecting an organization.

- If enabling in phases, start with users that have a higher level of access within account and organization.

- Then move to the next level of access and continue through all users, as each user needs to be protected for an Organization to remain healthy.


While items here are mainly discussed around M365, applying the same principle to all your online accounts will help keep you protected overall.