Why MFA May Not Be Securing Your Accounts Anymore

April 11, 2024

Increasingly organizations are becoming victims of phishing campaigns designed to bypass Multi-Factor Authentication (MFA) in Microsoft 365, Google, Adobe, Docusign, and other secure services. Sophisticated techniques have become increasingly easy and common for cybercriminals to acquire and deploy. These new MFA bypass capabilities are limiting the effectiveness of Multi-Factor Authentication and requiring users to re-emphasize their basic phishing and security awareness training to be able to spot phishing and suspicious emails.

How is MFA Bypassed on Secure Accounts?

The simplest explanation for how MFA is being bypassed on these secure platforms is that cybercriminals are using proxy servers and middleware to not only capture phished credentials from unsuspecting users, but also to piggy-back the MFA data the user sends to authenticate the bad actor into the secure account. Once the bad actor has gained access to the compromised user session, they add additional MFA devices to the now compromised account to authenticate themselves back in at any future time.

Here are 4 ways cybercriminals bypass MFA

  1. Use of Phishing Toolkits: Attackers use phishing toolkits like EvilProxy and Tycoon 2FA that employ reverse-proxy tactics to bypass MFA. These toolkits provide a simple GUI to run and manage their campaigns.
  2. Targeting Specific Roles: Attackers are improving their techniques and even filtering compromised targets by their organizational roles in an automated manner. For instance, out of hundreds of accounts accessed by attackers, 39% were C-level executives, 17% were chief financial officers, and 9% were presidents and CEOs.
  3. Impersonating Trusted Services: The phishing messages masquerade as automated emails generated by trusted services or applications such as business expense management system Concur, DocuSign, and Adobe Sign.
  4. Stealing Session Cookies: In Tycoon 2FA attacks, the threat actor steals session cookies by using a reverse proxy server hosting the phishing web page, which intercepts the victim’s input and relays them to the legitimate service. Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies. This way, the attacker can replay a user’s session and bypass MFA mechanisms.

What does this mean for MFA?

MFA is still a good defense against password and phishing compromises, but the same mistaken user action of clicking a compromised link in an email or website and providing their secure account credentials (being phished), may now also result in them providing MFA authentication for the bad actor into their secured account.

When only account credentials are compromised, and the user is not actively involved in the login attempt to provide their MFA authentication, then MFA protection will likely still hold as a layer of defense to prevent unauthorized account access. So, MFA is still an effective layer of defense for securing accounts.

How do I further protect my Microsoft 365 account?

With MFA not the holistic solution many users hoped for, organizations need to fallback to some more reliable security solutions while considering the possibility of some more restrictive actions which could help harden MFA but might have unintended consequences.

  • Security Awareness Training – the oldest and best protection against any phishing or cybersecurity compromise is Security Awareness Training. Good old-fashioned training videos, employee in-services, and email phishing simulations to train employees on what to watch for and to keep them on their toes.
  • Disable Administrative Access – make all email-enabled and production Microsoft 365 accounts as standard non-administrative accounts. Use unlicensed accounts as administrative accounts to limit their ability to be compromised directly.
  • IP-Restricted Conditional Access – enable Conditional Access to logins for Microsoft 365 accounts to only allow MFA Authentication from known IP addresses.
  • Risk-Based Sign-In Protection – enable Conditional Access policies to prompt MFA re-authentication when risky actions occur such as IP address changes, impossible travel to atypical locations, and unfamiliar signins.

When enabling additional restrictive policies, such as Conditional Access, there may be unintended consequences, such as blocking legitimate sign-in requests and inconvenience to users.