Multifactor authentication (MFA) continues to be a robust security measure. However, recent developments indicate that MFA is not as bulletproof as it once was. Attackers are finding new ways to circumvent MFA controls, prompting a need for additional protection.
The New MFA Threat Landscape
Attackers have commoditized methods to bypass MFA, making it easier for bad actors to circumvent it. For example, last fall Microsoft, Uber and Cisco all experienced a network breach because of MFA Spamming. In this kind of attack, bad actors generate a flood of MFA verification calls, emails, or other prompts, to make the targeted user confused or frustrated enough to approve the login. Click here to learn how to protect yourself from MFA fatigue.
More recently, Phishing emails are being used to initiate adversary-in-the-middle (AiTM) attacks, where MFA tokens are stolen in real-time. Here’s how AiTM often works:
Step 1 – Phishing Email: Users are tricked into visiting a fake login page resembling Microsoft 365. They unwittingly enter their username and password.
Step 2 – Token Theft: The attackers immediately use the legitimate credentials to log in to the actual Microsoft site. The user receives an MFA prompt, which they approve.
Step 3 – Token Acquisition: With the MFA approved, attackers gain access to the token.
Step 4 – Business Email Compromise (BEC) Campaign: Attackers then use the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.
If you have questions about MFA or anything else cyber-security related, our cybersecurity experts are here to help. Feel free to reach out to us at any time.