Microsoft Security posted a blog detailing their team’s observations of a phishing campaign targeting over 10,000 organizations with the ability to bypass the multifactor authentication (MFA) process. The campaign begins with a phishing email that redirects the victim to a spoofed login site. The attacker uses the gathered credentials on the actual site that returns a request for the MFA, which is then sent back to the victim. Once the victim gives the spoofed site the MFA information, the attacker can use it to continuously access the target site with the session cookie. Microsoft has named this technique an “adversary-in-the-middle” (AiTM) attack, also known as session hijacking proxy attack. In this campaign, the threat actors were focused on accessing the victims’ inboxes in order to conduct opportunistic BEC fraud attempts.
More on session hijacking proxy attack/AiTM
Essentially, with this type of technique, the attacker establishes themselves between the client and server. As in the Microsoft investigation, this can be accomplished by sending the victim a phishing email to entice them to visit a fake “look-alike” or “sound-alike” URL website. Once the user has been a victim of an AitM, everything the user sends can be intercepted by the attacker’s proxy server. In other words, when a session has been hijacked, the attacker is able to assume the authenticated user’s identity for the duration of the session. Additionally, MFA tools that have longer reauthentication requirements enable attackers extended periods of time to use these stolen token/cookie to establish persistent access. Furthermore, according to Proofpoint, MFA phishing kits have evolved to leverage transparent reverse proxies, which let them launch man-in-the-middle (MitM) attacks on a browser session and steal credentials and session cookies in real-time.
An interesting note on authentication tokens
According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 (who briefed in WaterISAC’s January 2022 Cyber Threat Briefing), no matter how a person successfully authenticates, be it a simple password, biometrics, or MFA – once authentication is successful, the authentication token assigned to the identity is usually the same for all authentication methods. Essentially, once the user has been successfully authenticated, the operating system issues a ticket/token/cookie which is subsequently used for all access control authorizations. Therefore, once an attacker obtains the access control token, it doesn’t matter which authentication methods (e.g., biometrics, FIDO2 key, SMS, application code, etc.) were used. Possession of the token is treated by the authorization processes the same as if the holder of that token successfully authenticated. In other words, the authorization process does not have a way of knowing whether or not the current holder of that access control token is the legitimate user or the “adversary-in-the-middle.”
Mitigate against MFA bypass techniques
Defending against MFA, including AiTM/session hijacking proxy should be focused around user education, as it does not take advantage of any inherent flaws in MFA architecture. Therefore, to reduce the risk and protect your utility and users from succumbing to MFA bypass, consider the following in your MFA implementation:
- Fake it. Encourage users to never use real answers in response to recovery questions (and to use a password manager to securely store the fake answers).
- Expire it. Configure timeouts before requiring MFA to a minimum acceptable timeframe (preferably at each login) so a threat actor cannot maintain persistence with a stolen session token/cookie.
- Randomize it. Make sure user session identifiers are unique and randomly generated.
- Monitor it. Monitor network logs continuously for suspicious activity.
- Alert it. Implement appropriate security policies to alert on things like impossible logins.
