You are here

Home

Threat Awareness – MFA Bypass Attacks Keep Getting Easier to Execute

Threat Awareness – MFA Bypass Attacks Keep Getting Easier to Execute

Created: Tuesday, March 26, 2024 - 12:26
Categories:
Cybersecurity

As Phishing-as-a-Service (PhaaS) offerings continue lowering the barrier to entry for low-skilled threat actors, “Adversary-in-the-Middle” (AitM) attacks have become much less technical to execute. Open-source toolkits make phishing campaigns accessible to the most novice threat actors. With such frameworks, actors can easily create custom Microsoft365 login pages and mimic other popular websites such as Amazon, Google, LinkedIn, Facebook, and X (formerly Twitter) to conduct opportunistic or highly targeted phishing campaigns. Recent analysts by Sekoia highlights a newly discovered AiTM phishing kit being used by threat actors to circumvent MFA against Microsoft and Gmail accounts.

According to the analysis:

  • Attackers are distributing malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
  • Users are then presented with a security challenge (CAPTCHA) to filter out bots, allowing only human interactions to proceed to the deceptive phishing site.
  • After a few stealth operations, the kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
  • Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack's success.

For a brief overview of the Sekoia analysis, visit BleepingComputer.

With MFA bypass being reported more frequently and threat actors’ propensity to violate the world’s most used platforms – Microsoft, Google, etc., it’s crucial for members to be aware of the different techniques being observed, know how to best protect against them, and to share the latest campaigns with end users through security awareness and reminders to help them recognize these malicious emails designed to trick them. The mitigation practices to reduce the risk of AiTM attacks involve a defense-in-depth security approach which includes regular user training and network monitoring. Members are encouraged to review the following post at the Center for Internet Security (CIS) for more details on AiTM attacks and mitigations.

Relevant resource previously shared by WaterISAC: