How to Protect Against MFA Bypass Attacks

In the world of best cybersecurity practices, multi-factor authentication (MFA) stands as a crucial defense against cyber threats. However, as security measures evolve, so do the tactics of malicious actors. Enter MFA bypass attacks; the ingenious techniques used by cybercriminals to undermine the fortified layers of security MFA provides, gaining unauthorized access to sensitive data and systems. 

Here’s how to protect yourself from the latest cybersecurity threat.

Understanding MFA Bypass Attacks

MFA bypass attacks involve cunning maneuvers aimed at circumventing the additional layers of security, such as one-time passwords, digital tokens or biometric authentication, that MFA brings to the table. These tactics, often referred to as single sign-on (SSO) impersonation, exploit the trust associated with SSO systems like Okta, LastPass and OneLogin, granting unauthorized access to various interconnected services. 

These attackers employ an array of methods, from social engineering to phishing and exploiting authentication process vulnerabilities.

The way MFA bypassing works is it misuses the way authentication works. When a user tries to log in to a website, the website validates them, with or without multi-factor authentication, and then provides a “session token” to them which gets stored on their browser. When the website sees the session token, it recognizes the user has already signed in.

Threat actors hijack this authentication flow by setting up a phishing website that forwards the traffic to the destination website and allows the user to log in with or without multi-factor authentication. The user is going to the correct website and logging in, but it is through a website the threat actor controls.

After the user logs in, the real website sends the session token to the user. The threat actor also gets a copy of it and can load it onto their computer. Once added, it doesn’t need a password or multi-factor authentication since having it means the user has already logged in.

But what exactly are these attackers after?

When assailants target MFA systems, they aim to exploit specific MFA components, such as the password (something the user knows), the token (something the user has) or the biometric data (something the user is). To shield your organization from such threats, it’s imperative to remain vigilant and implement robust security defenses.

And, if you want to learn more about cybercrime prevention, we’ve got a handy free guide on the subject.

Common MFA Bypass Attack Techniques

There are three common types of MFA bypass attacks: MFA fatigue, man-in-the-middle and token theft. Each of these attacks targets specific vulnerabilities within the MFA system.

1. MFA fatigue: In this attack, cybercriminals obtain stolen username and password credentials and repeatedly attempt logins to the targeted users’ accounts. For organizations where users have push or SMS notifications enabled as part of their MFA protection, attackers bombard them with login verification requests. Users may eventually click on the link or confirmation request out of frustration or by accident, giving the threat actor a way in.
2. Man-in-the-middle: Also known as session hijacking or real-time phishing, this attack involves threat actors establishing a fake authentication webpage to trick users into entering their credentials. With MFA widely used today, attackers need both the username/password combination and the digital token or one-time password used as the second form of authentication. Attackers insert themselves between the targeted user and the legitimate login page, often using SMS texts or emails to entice users to click on links that direct them through a malicious proxy server. With the proxy in place, attackers can capture credentials, modify session cookies and immediately access the targeted company’s systems.
3. Token theft: In this attack, threat actors steal session cookies stored on endpoint devices, which are used to avoid re-authentication during user sessions. By placing the stolen session cookies within their sessions, attackers trick browsers into believing they are the trusted users being authenticated. Once in, attackers can perform actions authorized by the trusted user.

Recent Examples of Bypass Attacks

MFA bypass attempts have made headlines recently due to their successful execution against organizations such as Uber, Reddit, Twilio and Electronic Arts. These attacks have highlighted the vulnerabilities of enterprise systems and data and the need for advanced security measures to counteract them.

For example, in the Uber breach, threat actors used MFA fatigue to trick Uber employees into approving login requests. Reddit, Twilio and Cloudflare also experienced man-in-the-middle attacks, where attackers successfully captured employee credentials and two-factor authentication tokens. 

Reddit CTO Christopher Slowe had this to say about the event: “On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens.”

Electronic Arts fell victim to a token theft attack, enabling cybercriminals to access their Slack instance and steal sensitive data.

The Insidious Nature of Evasive Attack Techniques

MFA bypass attempts and other highly evasive adaptive threats (HEAT) take advantage of the vulnerabilities in enterprise systems and the proliferation of network and endpoint security tools that do not adequately protect web browsers. These attacks evade existing security measures and target the web browser, which is increasingly used for productivity purposes.

These attacks are particularly dangerous because they occur in real time, allowing cybercriminals to exploit vulnerabilities before traditional security measures can be updated. They also rely on social engineering techniques to deceive individuals into compromising their security.

Preventing Attacks

To effectively defend against these types of attacks and other HEAT techniques, enterprises should focus on preventative solutions that provide visibility into the web browser. It is crucial to detect and respond to these attacks in real time and implement adaptive security controls directly within the browser. 

Smart businesses take advantage of leveraging cybersecurity expertise by outsourcing their security to a SOC, or security operations center, which offers 24/7/365 monitoring, detecting, analyzing and responding to security incidents around the clock.

Leveraging Microsoft Intune for Enhanced Protection

Microsoft Intune, a powerful endpoint management and security platform, can play a pivotal role in fortifying your organization against MFA bypass attempts. The tool allows the user to register their computers and mobile devices, and whenever the user logs into Microsoft, Microsoft can also see exactly which computer they are logging in from. This can allow an administrator to put a policy on their account to only allow logins from trusted computers.

The phishing methods described above won’t allow the user to log in to a phishing website since the website the threat actor uses to contact Microsoft will not be enrolled in Microsoft Intune causing the authentication to stop.

With Intune, you can implement conditional access policies that require device registration, ensuring that only compliant and secure devices gain access to sensitive data and applications. 

This proactive measure substantially reduces the risk of unauthorized access through MFA bypass tactics.

Moreover, Intune empowers you to enforce mobile application management (MAM) policies, control device compliance and integrate with Microsoft Defender for Endpoint for advanced threat detection and response. 

By combining device registration with Intune’s capabilities, your organization can create a robust defense strategy against this new cyber threat, enhancing security across your digital landscape. 

If you’re unsure how secure your work environment currently is, we offer a free vulnerability assessment.

The Road To Enhanced Security: Next Steps

Ultimately, applying adaptive security measures within your organization’s web browser, leveraging Microsoft Intune and educating coworkers about the risks of MFA bypass attempts enable organizations to effectively halt attacks before they impact devices or systems and expose sensitive data. 

As an MSP, we can help your business implement robust security measures and protect against MFA bypass attacks. Our team of cybersecurity professionals stays updated on the latest attack techniques and can provide tailored solutions to safeguard your organization’s sensitive data and systems. If you have any questions about cybersecurity or need a refresher on the latest in cyber threats, contact us or book a meeting.