Contact Us

No MFA, Full Access: the Hidden Risk in Duo & Generic AD Sync

Overview

What we observe time and again are privilege escalation paths that traverse from lower-tier to higher-tier objects using permissions such as GenericWrite, GenericAll, or WriteDACL. In research analyzing over 100 governmental, financial, and high-tech institutions, the prevalence of these generic permissions was found to be extremely high. Such misconfigurations introduce significant posture management risks in Active Directory environments. We further demonstrated the real-world impact of these risks by leveraging Duo MFA to showcase potential MFA bypasses.

Generic permissions in Active Directory are rights that bundle many object-specific permissions into a single grant:

  • GenericAllFull control of the object. Allows reading/writing all attributes, resetting passwords, enabling/disabling accounts, adding/removing group members, and more.
  • GenericWrite – Write access to most attributes. Common abuses include changing the member attribute of groups, settinga malicious logon script, modifying SPNs, or flipping UserAccountControl
  • WriteDacl – Permission to modify the object’s DACL (permissions list). This lets an attacker grant themselves any rights, including GenericAll, often leading to immediate complete control.
  • WriteOwner – Ability to change the object owner. New owners can rewrite the DACL, typically escalating to full control.
  • Owns – The principal is the object owner. Owners can modify the DACL regardless of explicit permissions, enabling a straightforward escalation path.

Those permissions are very common in many Active Directory environments. In research that analyzed over 100 governmental, financial, and high-tech institutions, the use of those generic permissions is extremely high:

The results of "Breaking Down Barriers
Figure 1: The results of "Breaking Down Barriers: Analyzing Active Directory Security Across Industries" research.

In general, these permissions let a user perform actions far beyond what’s required, for example, granting GenericAll just to reset a password. We demonstrated the risk by showing how generic permissions in AD can enable a bypass of Duo MFA.

Crucially, these risks persist because generic rights often go undetected and unreviewed; organizations don’t fully understand their impact.
Integrating third-party platforms with Active Directory (AD) is a standard enterprise practice that simplifies identity management. By synchronizing external systems with AD, organizations can reuse existing attributes, such as usernames, email addresses, and phone numbers, across multiple services. This reduces administrative overhead, minimizes redundancy, and ensures consistent access control and identity data across the environment.

Duo Security and Multi-Factor Authentication (MFA)

Duo Security is a widely used MFA solution that helps protect user logins by requiring an additional verification step beyond an Active Directory password. Common MFA methods include push notifications, SMS passcodes, or phone calls, all designed to confirm that the authenticating user is legitimate even if credentials are compromised.

Syncing Active Directory with Duo

In Duo, many customers use the Authentication Proxy to sync Active Directory users into the Duo platform. During this process, it’s possible to import attributes such as telephoneNumber and mobile from the AD user object, which can then be used as two-factor authentication (2FA) devices.
Duo Phone settings
Figure 2: An example of the Duo phone import setting
Once the sync is complete, new users are created in Duo based on their AD identities, with their mobile or telephoneNumber attributes already populated. Depending on the Duo configuration, these synced users may be able to authenticate using their phone numbers-even without completing a traditional enrolment process.

Real-World Scenario: RDP and Duo

The exploration of this practical scenario is as follows:

The hypothetical Comp company intends to implement MFA for Remote Desktop Protocol (RDP) access throughout its on-premises environment. To this end, they deploy Duo Authentication for Windows Logon on all servers accessible via RDP.

Whenever a user successfully authenticates to a server with their AD credentials, Duo prompts them for a second factor to the number associated with their account.

If the user is synced from Active Directory and has a phone number set in the mobile or telephoneNumber fields, Duo will import that value if phone import is enabled. As a result, depending on the configuration, the user may be able to validate their identity using the AD-synced phone number without additional setup.

Attack Prerequisites

To successfully execute this attack, the following conditions must be met:

  1. Active Directory Permissions

In practice, the blocker isn’t niche attribute rights; it’s generic permissions already present in many environments.

  • Typical real-world case: A single GenericAll / WriteDACL / WriteOwner / Owns grant is enough to both reset a user’s password and modify phone attributes, fully satisfying the attack prerequisites.
  • Less common, specific path: Having just ForceChangePassword plus Write Property on telephoneNumber/mobilecan also work, but this is not what we usually see during assessments.
  1. Duo Directory Sync Settings using Phone number import is enabled in the Duo sync configuration
  2. Duo Policy Configuration using SMS-based authentication is allowed

With these conditions, an attacker-controlled phone number in AD becomes a valid 2FA method activated at the next sync.

Potential Attack Vector

Synchronizing phone attributes from AD into Duo is convenient, but it introduces a path for abuse. If an attacker can change a user’s password and phone number in Active Directory, they can:

  1. Set a malicious telephoneNumber or mobile value on the target user.

AD Mobile
Figure 3: An example of the Active Directory mobile phone attribute

  2. Wait for Duo’s next directory sync

  3. Log in using the victim user’s password and click “Text me new codes.”

RDP login
Figure 4: An example of the Duo Authentication RDP login screen

  4. Receive an SMS passcode from Duo sent to the attacker’s own phone without needing access to Duo’s admin interface.

  5. Get access to the device.

Attack Conditionality

Significantly, the attacker is not required to make physical contact with Duo.

This is contingent upon both of the following conditions being satisfied:

  1. Duo’s directory-sync profile has phone import enabled

Import Setting
Figure 5: An example of the Duo phone import setting

  2. Duo’s policy allows SMS:

Passcode policy
Figure 6: An example of an SMS passcode allows policy in Duo

  3. Then, a single change in AD is enough to satisfy 2FA, effectively bypassing MFA using only LDAP writes

Duo Defaults and Behavior

Understanding Duo’s default behavior is crucial to assessing the actual risk and designing effective mitigations. The following are official descriptions from Duo’s documentation regarding phone import and SMS authentication settings:

# Duo Feature Description
1 Import Phone Feature Duo’s directory sync can optionally import phone numbers from Active Directory user attributes. • Official Description: “Enable this option if you want Directory Sync to create phones for your users. Imported devices default to the “Generic Smartphone” platform, capable of phone calls and SMS messaging.” • Default Setting: Phone number import is disabled by default.
2 SMS Passcode Authentication • Official Description: “Users receive a text message with a Duo passcode that they use to authenticate. • Default Setting: SMS-based authentication is enabled by default.”
Config scenario
Figure 7: An example of the Duo configuration scenario, with the SMS passcode and import phones features enabled

Mitigations

The following steps will improve the security of Active Directory when it is synchronized with Duo

   1. Use Posture Management Platform to Model and Reduce AD Attack Paths
Leverage your organization’s security posture management tool to detect users or groups with excessive privileges in Active Directory. Focus on identifying:

    • Users with the ability to reset other users’ passwords
    • Users with Write Property access to telephoneNumber or mobile
    • Users with broader privileges like GenericAll,WriteDACL, Owns

These tools can typically identify risky attack paths and enable you to reduce unnecessary permissions, thereby minimizing opportunities for lateral movement.

Edges
Figure 8: An example of the write-phone and reset-password edges in a posture management platform

   2. Avoid Syncing Phone Attributes from Active Directory (If Possible)
Disable the import of telephoneNumber and mobile attributes during AD-to-Duo sync. Managing 2FA devices directly in Duo ensures that only verified, admin-approved methods are used for authentication, reducing reliance on potentially manipulated directory data.

   3. Disable SMS and Enforce Passcode-Based MFA
Remove SMS as a 2FA option from Duo’s policy and enforce passcode-based MFA. This ensures that any user needing to register a new device must request a passcode from a Duo administrator or complete activation through the Duo SaaS portal, adding a critical administrative checkpoint before device enrolment.

before
Figure 9: The before state of Duo RDP login with SMS codes
after
Figure 10: The After state of the Duo RDP login with SMS codes

AD Attack Detections

Monitor AD Attribute Changes: telephone number/mobile

Attackers who gain write access to AD user objects can change telephoneNumber or mobile attributes, which Duo may consume during the next sync cycle. To detect this:

  • Log Source: Domain Controller (Security Log)
  • Event ID: 5136 (Directory Service Change)

What to Look For:

  • Telephone number or mobile attribute modified.
  • Performed by non-administrative or unusual accounts.
  • Performed outside of normal operating hours.
  • Followed by a password reset on the same user account (Event ID 4723 or 4724).
AD log
Figure 11: An example of the Active Directory log showing modification of the telephoneNumber attribute

Analyse Duo Telephony Log for Anomalies

Once the phone number is changed in AD and synced to Duo, attackers can use their own device to satisfy MFA prompts.

Log Source: Duo Telephony Log (Admin Panel or API)

Indicators of Suspicion:

  • Authentication attempts from newly seen numbers.
  • Phone numbers are associated with a high volume of calls/SMS in a short window.
  • Devices that were not enrolled manually (i.e., synced only).
  • Usage of phone numbers is not present in your internal HR/CMDB systems.
Duo log
Figure 12: An example of the Duo telephony log

Conclusion

Dream Posture Management Perspective

To better protect organizations, there is a need to operate in a few layers:

  • Permission-level analysis: Examine every Active Directory permission and its potential for concrete abuse, not just high-level roles. In our demo, the ability to write another user’s phone attributes and reset the user’s password was sufficient to enable the attack.
  • Tiering & Segmentation Review: Assess AD tier boundaries (Tier 0/1/2) to uncover misplaced permissions and escalation paths between tiers. Tighten separation and remove cross-tier write paths that enable lateral movement
  • Least-Privilege & Delegation Hygiene: Identify overbroad generic permissions (e.g., GenericAll, GenericWrite, WriteDACL) and replace them with narrowly scoped, task-specific rights to reduce blast radius.

Multilayered Approach of Dream AI

Dream AI is engineered to disclose concealed aspects, such as unspecified generic permissions, their potential avenues for misuse, and the minimal secure adjustments necessary to eliminate them.

Dream AI applies end-to-end across all layers of Active Directory security:

  • Permission level. Our models map each AD permission to concrete abuse cases and surface risky write capabilities
  • Dream’s Identity Researcher discovers critical escalation paths that break Tier 0/1/2 boundaries and flags cross-tier misplacements.
  • Least-privilege. Our models detect overbroad delegations (GenericAll/GenericWrite/WriteDACL) and recommend precise, task-scoped alternatives.

Together, these capabilities allow Dream to pinpoint “golden” attack paths and deliver clear, prioritized mitigation guidance to close them before they’re exploited.

CONTACT US

Fill out the form to get in touch with our Expert Team.