Businesses have to be increasingly wary of an industry-wide shift in phishing tactics to get around multi-factor authentication (MFA). Attackers may use tactics such as adversary in the middle (AiTM) techniques to bypass security layers such as MFA.
AiTM attacks are an evolution of the man-in-the-middle (MiTM) technique, where cyber criminals intercept communications between two parties to steal sensitive data. In an AiTM attack, adversaries can also actively interfere with these communications, modifying the messages rather than simply relaying them. This can allow for a seamless MFA bypass.
Adversaries may also seamlessly set up a proxy server between the user and the legitimate service, says Jake Moore, global cybersecurity advisor at ESET. “These attacks have the ability to circumnavigate typical security measures and allow them to intercept authentication tokens or credentials in real-time – and often without raising the alarm.”
At a time when MFA is an increasingly mandatory security control, the use of AiTM to get around it is a major worry. How do attackers bypass MFA using attacks such as AiTM and what can businesses do about it?
Attacks to get around MFA
Currently, three common types of attack methods look to get around MFA. The first is AiTM kits to intercept the user’s MFA key in transit, says Thomas Barton, incident response technical lead at Integrity360.
He describes how using open source tools such as Evilginx, an attacker can set up a mechanism called a “reverse transparent proxy” which forwards a victim’s traffic to their legitimate sign-in page. “While the user believes they are signing in, they are in fact passing both their password and MFA token to the attacker, who abuses these credentials for access,” Barton says.
Tycoon 2FA is a popular AiTM kit at the moment, with the phishing as a service (PhaaS) platform specifically to target Microsoft 365
A second technique to bypass MFA takes advantage of the number of alerts a user may need to respond to in a day. “If a user is required to supply MFA every time they access corporate resources, it creates a situation where they may approve requests from attackers without taking the time to inspect the origin and time the request was initiated,” says Barton. This phenomenon is known as MFA fatigue, a state of exhaustion with security checks among staff that hackers readily exploit.
Another approach sees the attacker compromise MFA reset tokens. “If an MFA reset token is accessed, it allows an attacker to disable and re-enable MFA on an account and potentially reset their password,” warns Barton.
The growth of AiTM
All modern organizations employ MFA as an integral part of their security infrastructure. It’s therefore no surprise that AiTM techniques are growing, as they have become “a successful way of seamlessly bypassing MFA”, says Barton.
The widespread business use of web-based applications adds to the temptation for attackers. “AitM attacks are particularly effective in environments that rely heavily on browser-based logins such as cloud software as a service (SaaS) platforms,” says Sergey Belov, director of information security at Acronis.
And they’re more efficient than traditional phishing attacks that aim to steal user credentials. “AiTM hijacks active authenticated sessions, allowing attackers to completely circumvent MFA security measures,” says Shobhit Gautam, security solutions architect at HackerOne.
They are also “quiet, hard to detect and separate from user behavior – which means they are unlikely to attract further investigation by experienced security analysts or IT admins”, Barton says.
Adding to the attraction for adversaries is the availability of sophisticated phishing kits and automation tools, says Rob O’Connor, CISO at Insight. These kits often mimic legitimate login portals, capturing user credentials and MFA tokens in real time, he says.
Gautam cites the example of open-source and commercial tools such as Evilginx2, Rockstar 2FA, Muraena, and Modlishka, which have “facilitated the launch of more sophisticated attacks”.
“These tools typically need little technical expertise, making them accessible to a wider range of threat actors,” he warns. “In addition, attackers can steal sensitive information without triggering alarms.”
Defending against MFA bypass attacks
The increasing ease at which attackers can potentially get around MFA is alarming, but thankfully, there are steps you can take to prevent this.
Fred Tromp, chief security architect at UBDS Digital advises a “strategic, multi-layered approach that integrates advanced security technologies, dynamic access controls, and proactive user education”.
“Organizations need to evaluate the risk these attacks pose and put in place proportionate controls that balance risk and user experience,” he says. But the risk of bypass doesn’t mean MFA isn’t effective. Barton says the first thing businesses should do is ensure MFA is enabled and enforced across the user base.
To prevent attackers from bypassing MFA, all basic security controls must be implemented and tested to verify they are effective, he warns. This includes email filtering, network traffic filtering, user education, proper logging, and “monitoring of anomalous account activity on a frequent basis”.
In addition, Laura Kankaala, threat intelligence lead at F-Secure outlines some methods to protect the business against phishing. “Consider enabling add-ons for browsers that block phishing sites. For business use, a good spam filter from your email provider is a good idea.”
In public cloud environments, MFA defenses can be enhanced to counteract impersonation token man-in-the-middle attacks through conditional access policies, says Andy Swift, cybersecurity assurance technical director at Six Degrees. These policies allow administrators to “enforce additional, seamless security measures beyond the username, password, and MFA token”.
For example, conditional access can include requiring log-ins to come from approved devices and authorized locations. “Impersonation token attacks often originate from unknown or foreign IP addresses,” he says.
Phil Skelton, business director, international at eSentire advises training users on how the organization approaches security for accounts and what should happen in the event that access is lost due to a broken device or a forgotten credential. “Stick to that process completely. This will keep people on their guard against MFA bypass attempts, so they are less likely to succeed.”
But even with positive cyber awareness training in place, companies still need to be vigilant. Attackers have “dramatically improved” the use of social engineering to manipulate users into unknowingly hand over their credentials or MFA codes, Moore says.
With this in mind, he says organizations need to “adopt phishing-resistant MFA such as FIDO2, use advanced threat detection, and implement a zero trust approach to continuously verify user activity”.
