Phishing attacks are often conducted to obtain credentials in order to gain initial access to business networks; however, many businesses have implemented multi-factor authentication which prevents stolen credentials from being used to access accounts. With multi-factor authentication implemented, credentials alone are not sufficient as access will only be granted if one or more additional authentication mechanisms are navigated. Multifactor authentication can significantly improve protection against phishing attacks, but it does not guarantee protection against unauthorized account access, and multi-factor authentication bypass attacks are increasing.

To bypass multifactor authentication, threat actors typically use adversary-in-the-middle (AitM) techniques using a phishing-as-a-service (PhaaS) platform. PhaaS platforms such as EvilGinx, Muraena, and Modlishka use reverse proxy servers to steal session cookies that allow multi-factor authentication to be bypassed. In these attacks, the user is directed to the phishing site hosting the phishing kit and when they enter their credentials the site proxies them to the actual website that is targeted in real time. The website returns the MFA screen, which is proxied to the user, and when the user enters the additional authentication, it is proxied to the actual website. The MFA is successfully completed and a session cookie is returned, which is used by the attacker to access the targeted account as the genuine user. The phishing site redirects the user to another page, unaware that their account has been compromised. The attacker will be able to access the account for as long as the session cookie is active.

An alternative method of bypassing MFA is to use synchronous relay servers. This method is used by the Storm-1295 threat group, which provides the Greatness PhaaS platform. This PhaaS platform presents the user with a copy of the sign-in page for the website, similar to standard phishing attacks that only steal credentials. This method uses a phishing kit server that dynamically loads the phishing page and MFA request page and communicates with the PhaaS platform relay server through an API. The PhaaS platform provides a synchronous relay server to relay captured credentials and MFA codes to the sign-in service but does not proxy network traffic.

According to Microsoft, there has been a marked increase in AitM attacks this year which are being conducted through already established MFA-bypassing PhaaS platforms and there has also been an increase in phishing services incorporating AitM capabilities. Businesses need to ensure that they are properly protected against these phishing attacks. The first line of defense is still a spam filter, which will block the majority of phishing emails to ensure they do not land in inboxes where they can be clicked. SpamTitan Plus provides the best protection against phishing attacks. SpamTitan Plus has 100% coverage of ALL current market-leading anti-phishing feeds, which ensures 1.6x faster detection of phishing than all current market leaders.

End-user training is also important for improving resilience against phishing attacks. By providing ongoing training and phishing simulations, employees will learn how to recognize and avoid phishing attempts that are able to circumvent spam filters. SafeTitan is a comprehensive security awareness training and phishing simulation platform that user data shows can improve resilience to phishing by up to 80%.

The increase in the use of MFA-bypassing PhaaS platforms means businesses can no longer rely on standard MFA controls to protect their accounts. While any form of MFA is better than none, businesses should transition to the most secure MFA methods that are resistant to these phishing attacks, such as FIDO2 security keys and certificate-based authentication.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo