In today’s digital landscape, a single set of valid employee credentials can be all an attacker needs to infiltrate an organization, navigate through its systems, escalate their access, and gain access to confidential company data.
It can be said that in the game of “cat-and-mouse” or the “cyber arms race” that the security perimeter has continued to move from network-based to endpoint-based and now to identity-based.
In fact, according to CrowdStrike’s 2023 Global Threat Report, 80% of cyberattacks now leverage stolen or compromised credentials and malware-free activity represented 75% of malicious actor detections in 2023.
As organizations have become familiar with conventional brute-force, password spraying, and credential stuffing attacks, multi-factor authentication (MFA) has frequently been touted as a “fool-proof” solution.
Unfortunately, that’s simply not the case. Increasingly, malicious actors are leveraging phishing-driven man-in-the-middle (MitM), adversary-in-the-middle (AitM) and browser-in-the-middle (BitM) techniques to work around defenses like multi-factor authentication (MFA).
Today, there is a plethora of easy to use tools that can bypass MFA, steal session logins, and lead to damaging account takeover (ATO) situations.
Traditional Password Vulnerabilities and Attacks
As everyone knows, passwords alone no longer provide any sufficient protection on accounts due many easy credential theft techniques that include:
-
Password Spraying. Rather than focusing on one account, attempting logins across many accounts with common passwords such as Password123!
-
Credential Stuffing. Leveraging passwords featured in past data breaches associated with a particular user against their other accounts that utilize the same or similar password.
-
Brute-Force Attacks. Guessing numerous combinations until one works, usually leveraging breached password lists, dictionary attacks and more.
-
Forgot My Password Question/Answer Attacks. Leveraging poorly implemented “forgot my password” functionality across systems that rely on “secret” question and answer pairs which can be found through open-source intelligence gathering from sources like social media.
-
Compromised Personal Devices. Personal devices often double as work devices in BYOD setups, creating risks if compromised.
The challenge is further exacerbated by the use of antiquated and arbitrary password complexity restrictions that force people to choose short passwords and reuse passwords across many systems.
In fact, it is notable NIST no longer recommends enforcing complexity requirements such as mixing uppercase and lowercase letters, numbers, and special characters. Instead, the focus has shifted to password length as the primary factor in password strength in NIST SP 800-63b.
Techniques and Tools of the Trade for MFA Bypass
Multiple factors of authentication means that there are two more elements to prove one’s identity from a possibilities that include knowledge of something (as in password), possession of something (as in a phone number, hardware, or software key), inherence of something (biometric attributes), or location.
There are multiple methods that attackers commonly use to work around or bypass MFA, including:
-
Classic SIM-swapping attacks. Most are aware that phone numbers (SMS/Phone Call) are one of the weakest factors to leverage given the plethora of SIM swapping attacks that have occurred and featured much media attention. As a refresher, a SIM swapping attack is a form of identity theft where an malicious actor takes control of a victim’s mobile phone number by fraudulently transferring it to a SIM card they own. This gives the malicious actor access to any SMS-based services or accounts linked to that phone number. This is usually accomplished when malicious actor socially engineers the victim’s mobile carrier, posing as the victim, and requests a transfer of the phone number to a new SIM card that’s controlled by the malicious actor.
-
Simple push notification fatigue. This social engineering tactic exploits users’ confusion and weariness when receiving multiple, repeated push notifications. A well-timed push notification request sent when a victim is logging on to their computer in the morning is more than often not the easiest way to bypass MFA and take over an account. If that doesn’t work, malicious actors just try again, and again, and again. They do this to overwhelm the victim in hope that a push notification request will be approved out of habit, confusion or exhaustion.
-
Reverse proxy attacks. This MFA bypass technique goes beyond conventional phishing attacks where threat actors buy a deceptive domain, trick users visiting cloned website and then steal a password. Leveraging common tools such as Evilginx2, Evilginx3, Modlishka, and Muraena, malicious actors can insert themselves in the middle of the MFA authentication process by attacks as a proxy. Instead of hosting a replica of a legitimate login page, the MitM servers simply take the content rendered on the legitimate login portal and relay it to the victim. When the target enters their password and MFA one-time-password (OTP) code into the proxied page, the MitM proxy stores it and forwards it to the legitimate login page, resulting in a successful login attempt. In most instances, the victim believes they’ve logged into the legitimate website without any indicators they were compromised.
-
Browser-in-the-middle attacks. One of the more complex MFA bypass techniques that can be tough to defend against are Browser-in-the-Middle (BiTM) attacks which leverage tools like EvilNoVNC. Like the movie Inception, EvilNoVNC is like a web browser in a web browser. This technique involves a victim unknowingly interacting with a remote web browser that’s running on a malicious actor’s remote server. With EvilNoVNC, the attacker sets up a virtual browser that mirrors a legitimate website and sends a phishing link to the victim. When the victim logs in, they are actually entering credentials into the attacker’s remote browser, which then relays the information to the real site in real-time.
Defense-in-Depth Recommendations for Protecting Against MFA Bypass Attacks
Organizations must evolve beyond relying on just multi-factor authentication to prevent account takeover attacks and compromised users. Using location-based factors with enterprise identity access management and single-sign-on solutions like Okta and Entra ID (formerly Azure AD) is becoming common, with features like Impossible Travel Detection and Velocity Behavior Detection to identify and block suspicious login attempts.
Here are some specific measures to strengthen defenses against MFA bypass attacks:
-
Set a secure mobile carrier PIN to protect against SIM-swapping attacks. Encourage employees to set a secure PIN with their mobile carrier to guard against SIM swapping attacks. This extra layer of verification with the carrier can prevent attackers from fraudulently transferring a victim’s phone number to a new SIM card and compromising SMS-based authentication methods that are leveraged by legacy solutions.
-
Leverage app-based MFA with additional login context. Leverage app-based MFA with push notifications, location-context and reverse number matching reducing the likelihood of accidental approvals during push notification fatigue attacks.
-
Configure impossible travel detection and risk-based sign-in In (Entra ID and Defender for Identity). Enable Impossible Travel Detection in your identity provider to flag logins that occur from geographically distant locations in a short timeframe. Use Risk-Based Sign-In to assess the likelihood of compromised credentials, blocking or challenging high-risk attempts based on behavioral analytics and location anomalies. This combination helps detect and prevent unauthorized access by identifying suspicious login patterns in real-time.
-
Deploy phishing-resistant authentication FIDO2 keys for VIPs and administrators. FIDO2 U2F USB security keys, such as Yubico keys, offer an even more secure alternative to push notifications by binding the authentication to the URL. This helps prevent AiTM and BiTM attacks, even if users are tricked into visiting a fraudulent site, the key won’t work on untrusted domains.
-
Implement conditional access policies (Intune and Defender for Identity). Require Microsoft Intune to verify that devices meet security standards before granting access to cloud apps; better yet, require devices that log into Microsoft 365 to be registered corporate devices. In this situation, only compliant devices can access corporate resources, preventing compromised credentials being utilized to exfiltrate company emails and documents stored in your Microsoft365 environment. In conjunction with Impossible Travel detected, Intune location-based conditional access policies can set geographical boundaries as ‘trusted’. This way, login attempts from untrusted or anomalous locations are automatically blocked, particularly effective against attacks originating from specific regions.
While no single solution is a cybersecurity “silver bullet,” a layered defense approach minimizes the chances of account the takeover situations which have become so widespread today. ■
References and Resources
- Okta: Add a Velocity Behavior
- Microsoft: Create Defender for Cloud Apps anomaly detection policies
- Microsoft: Require phishing-resistant multifactor authentication for administrators
- Microsoft: Create a device-based Conditional Access policy
- Microsoft Entra Blog: All your creds are belong to us!
- Microsoft Entra Blog: Your Pa$$word doesn’t matter
- Verizon: 2024 Data Breach Investigations Report
- Cognisys: How to protect against AiTM/Evilginx phishing attacks
- Microsoft: How to use additional context in Microsoft Authenticator notifications – Authentication methods policy
- Microsoft Security Blog: From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
