New Adversary in the Middle Platform Circumvents MFA Protections “At Scale”

New Adversary in the Middle Platform Circumvents MFA Protections “At Scale” As Phishing as a Service (PhaaS) kits continue to evolve, news like recent attacks using the Greatness toolkit demonstrate how easy it is for novice attackers to access accounts despite multi-factor authentication (MFA) being enabled.

We’ve seen plenty of adversary-in-the-middle (AiTM) attacks over the years, where the threat actor inserts themselves (in one form or another) into an existing communication, impersonating one of the parties in the communication. But new PhaaS kits, including one dubbed Greatness, has Microsoft Threat Intelligence sounding the alarm about the improvements these kits make in AiTM attacks.

According to coverage of these attacks over at hackernews.com, these new PhaaS kits allow attackers to conduct “high-volume phishing campaigns” with ease. What makes these kits so dangerous is their use of new techniques in credential harvesting attacks to bypass MFA protections using one of two methods:

Proxy servers – when the victim user it presented with an impersonated logon page for a platform like Microsoft 365, the credentials presented are proxied over to the legitimate site and, should MFA be required, the MFA screen is proxied back to the user to provide the needed authentication code.
Synchronous relay servers – In this model, the PhaaS kit is split into two parts; a phishing kit server (that is responsible for presenting the impersonated site to and interact with the user) and a PhaaS synchronous relay server (that does the work of handling the legitimate authentication with the target platform).

Phishing as a Service (PhaaS) kits continue to evolve

In either case, the end result is victims do all the work, providing the needed credentials and secondary forms of authentication, with the PhaaS kits passing these details to the target system and gaining access to the user’s account.

The key here (as with all phishing attacks) is that the user *must* interact with the attack; if the user is vigilant enough – something established through continual security awareness training – they will see the social engineering used in the initial email for the scam it is and never engage this effective AiTM attack.

Get Your Free Phishing Security Resource Kit

Phishing emails increase in volume every month and every year, so we created this free resource kit to help you defend against attacks. Request your kit now to learn phishing mitigation strategies, what new trends and attack vectors you need to be prepared for, and our best advice on how to protect your users and your organization.

Here's what you'll get:

Access to our free on-demand webinar Your Ultimate Guide to Phishing Mitigation featuring Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist

Our most popular phishing whitepaper: Comprehensive Anti-Phishing Guide E-Book

A video that explains How to Avoid Phishing Attacks

Our most recent quarterly infographic on Top-Clicked Phishing Email Subjects Infographic

Posters and digital signage to remind users about what to watch out for