Security experts have long recommended that multi-factor authentication be implemented to protect against phishing attacks and for good reason. Single-factor authentication – a password – provides a degree of protection against unauthorized account access; however, with modern GPUs, it is possible to automate brute force attempts to guess passwords and many passwords can be cracked quickly, especially if the passwords are weak. Phishing attempts seek access to credentials and if a user discloses their password on a phishing site, if the password is the only form of authentication required, the attacker will be able to gain access to the account.
Multi-factor authentication requires an additional form of authentication before account access is provided. If a password is guessed in a brute force attack or if the password is compromised in a phishing attack, access to the account will not be granted unless an additional form of authentication is provided. Multi-factor authentication will therefore greatly improve security, and more and more businesses are heeding the security advice and are adding multi-factor authentication to their accounts. It would be a mistake, however, to believe that multi-actor authentication is infallible, as it is possible to bypass this security safeguard, and threat actors are increasingly using a phishing kit that allows them to access MFA-protected accounts. The phishing kit allows a threat actor to conduct an adversary-in-the-middle attack and get around multi-factor authentication.
The attack starts like any other phishing attempt with initial contact made via email (or text message). The communication contains a ruse to get the user to click a link, such as a message indicating a contact has shared a file. The link directs the recipient to a website hosting the phishing kit, and to view the shared document they are required to enter their credentials. If the credentials are entered they are captured as they would be in any phishing campaign, but if multi-factor authentication is in place, account access would be prevented. With this phishing kit, however, multi-factor authentication is bypassed.
This is because the phishing kit acts as a proxy between the user and the legitimate service. The phishing kit will log in to the legitimate account using the credentials provided via the phishing site, and the legitimate site will send the MFA request which is relayed to the user. The user then authenticates and the legitimate site returns a session cookie as the MFA check has been passed, and the session cookie is then used by the attacker to access the service as the legitimate user. Access will remain possible for as long as the session cookie remains active.
This month, Microsoft’s Threat Intelligence Team reported that one such phishing kit is being offered by a threat actor it tracks as DEV-1101. The threat actor started offering the kit on hacking forums for just $100 a month as a licensing fee in the summer of 2022, but the huge popularity has seen the price increase to $300 a month, or $1,000 a month for a VIP license. Since the kit allows MFA to be bypassed, it is a small price for a threat actor to pay to guarantee their phishing attempts will be successful. There have been many takers, and the phishing kit has been used for high-volume campaigns that see millions of phishing emails sent each day. One of the campaigns involved more than a million messages in a single campaign.
While MFA can be bypassed, it does not mean that it shouldn’t be implemented. MFA is still an important security control that will block many unauthorized attempts to access accounts. Businesses should also enforce conditional access policies such as whitelisting IP addresses, only permitting compliant devices to log in, and setting up and enforcing geographical restrictions, and all sign-in requests should be evaluated and access continuously monitored for suspicious activity. Advanced anti-phishing measures should be implemented to block the initial phishing email to prevent the click. A web filter is recommended to control the websites that can be accessed by employees, and end-user training is important to help employees identify phishing attempts.
