MFA Bypassed - Adversary-in-the-Middle Phishing Explained
Basically, attackers are stealing your login session without needing your password.
Adversary-in-the-middle phishing attacks are bypassing MFA, posing a serious risk to organizations. Employees may unknowingly compromise their sessions, leading to potential breaches. It's time to rethink security strategies and adopt phishing-resistant authentication methods.
The Threat
Adversary-in-the-middle (AiTM) phishing has emerged as a formidable threat to multi-factor authentication (MFA). Unlike traditional phishing, which relied on fake login pages, AiTM attacks utilize proxies that sit between users and legitimate services, capturing the entire authentication flow in real-time. This means that even if an employee follows all security protocols, their session token can still be stolen without their knowledge.
These attacks have evolved significantly, making them harder to detect. Employees may see a successful login, but in reality, attackers are silently hijacking sessions. With over 90% of credential compromise attacks expected to involve sophisticated phishing kits by the end of 2026, organizations must understand this new threat landscape.
Who's Behind It
The rise of phishing-as-a-service platforms has democratized access to these sophisticated attack methods. Tools like Evilginx allow even low-skilled attackers to execute complex AiTM phishing attacks. As a result, organizations are facing threats that were once the domain of advanced nation-state actors. The ease of access to these tools means that anyone with a credit card can launch an attack, increasing the urgency for organizations to adapt their defenses.
Tactics & Techniques
Adversary-in-the-middle attacks exploit three critical failures in current security practices. First, many security awareness programs still focus on outdated phishing tactics, failing to address the reality of modern threats. Second, organizations often place too much trust in session cookies, treating them as sacred tokens without adequate protection. Third, incident response plans typically focus on compromised passwords rather than the more pressing issue of session theft.
To combat these tactics, organizations must shift their focus to phishing-resistant authentication methods, such as FIDO2 security keys, which bind authentication to specific devices and domains. This prevents attackers from replaying stolen session tokens.
Defensive Measures
Organizations need to rethink their security strategies in light of these evolving threats. Implementing phishing-resistant authentication is crucial. FIDO2 security keys and passkeys can significantly reduce the risk of session hijacking by ensuring that authentication requests come from legitimate sources.
Additionally, organizations should monitor for session anomalies rather than just failed logins. This includes tracking impossible travel patterns and unusual MFA device registrations. By adjusting security awareness training, employees can be taught to avoid clicking login links in emails and instead navigate directly to services. These proactive measures can help organizations stay ahead of sophisticated phishing attacks.
CSO Online