Multifactor authentication (MFA) continues to be a robust security measure. However, recent developments indicate that MFA is not as bulletproof as it once was. Attackers are finding new ways to circumvent MFA controls, prompting a need for additional protection.
The New MFA Threat Landscape
Attackers have commoditized methods to bypass MFA, making it easier for bad actors to circumvent it. For example, last fall Microsoft, Uber and Cisco all experienced a network breach because of MFA Spamming. In this kind of attack, bad actors generate a flood of MFA verification calls, emails, or other prompts, to make the targeted user confused or frustrated enough to approve the login. Click here to learn how to protect yourself from MFA fatigue.
More recently, Phishing emails are being used to initiate adversary-in-the-middle (AiTM) attacks, where MFA tokens are stolen in real-time. Here’s how AiTM often works:
Step 1 – Phishing Email: Users are tricked into visiting a fake login page resembling Microsoft 365. They unwittingly enter their username and password.
Step 2 – Token Theft: The attackers immediately use the legitimate credentials to log in to the actual Microsoft site. The user receives an MFA prompt, which they approve.
Step 3 – Token Acquisition: With the MFA approved, attackers gain access to the token.
Step 4 – Business Email Compromise (BEC) Campaign: Attackers then use the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.
How to reinforce MFA to prevent AiTM attacks
To counter AiTM attacks, organizations are starting to go beyond traditional MFA. One recommended approach involves using “trusted devices.” By restricting access to legitimate business systems, companies can thwart attackers. Even if they perform the AiTM trick, the lack of a trusted endpoint prevents successful token usage. And while other methods like hardware keys exist, trusted devices are a more practical solution that most businesses can employ.
The increasing number of methods for circumventing MFA illustrates why security is an ongoing effort. If your security protections don’t evolve in response to changes in the threat landscape, it won’t be long before a new attack sneaks past your defenses and impacts your bottom line. If you are looking for ways to keep current with evolving threats and protections, visit our Managed Security page to learn more.
