Microsoft Security recently released a report which detailed a widely successful phishing attack technique used against over 10,000 of its customers…a phishing attack that worked even if the customers were using supposedly super secure multi-factor authentication (MFA).
The attack works like this. The potential victim receives a phishing email or website page containing a rogue link. The user believes the request and contained link is coming from a site or service they legitimately interact with, but instead when they click the link are really first redirected to a rogue website, which will then pass along (proxy) anything the user performs or types to the user’s intended legitimate site or service the user thought they were going to in the first place. The rogue website that sits eavesdropping in between the potential victim and the legitimate website is known as a man-in-the-middle (MitM) proxy website. It can capture anything the user types, including logon name, password, and any manually provided MFA credentials (such as one-time passwords). The MitM proxy site can capture anything the legitimate website sends back to the user, including personal information and private records.
Critically, the rogue proxy site can also capture the access control token cookie that the legitimate site sends back to the user after they have performed a successful logon, whether or not that logon was performed using a logon name and password, MFA, or biometrics. The access control token cookie is simply a text file sent to the user’s browser containing a session ID, which identifies the user and their subsequent actions performed on the site to the site. It is essentially a ticket that tells the site, “I successfully authenticated and here is my identity.” Any user or browser session with the cookie will be treated as the legitimate, authenticated user. It is like a bearer bond in finance. In the attack discussed by Microsoft, the MitM proxy website steals the user’s access control token, takes over the user’s session, and allows malware or the hacker to perform further malicious actions that result in harm to the individual and/or their organization and other online entities.
Not a New Attack
Even though it is not obvious from Microsoft’s article, this is far from a new attack method, although Microsoft gives it its own unique name (i.e., adversary-in-the-middle (AiTM) attack). The author of this article first wrote about this exact type of attack in 1989. KnowBe4 has been covering and presenting on this this exact attack method for years, including on several documents located on this portal dedicated to MFA and the various ways it can be hacked and bypassed. KnowBe4’s Chief Hacking Officer, Kevin Mitnick, has been demoing this exact attack for many years as well. Most people who are not aware of this attack method are surprised just how easy it is to bypass the most popular forms of MFA.
Microsoft is warning its customers that this type of attack can easily bypass of MFA because they are seeing a significant rise in successful attacks against its customers using MFA. This is no surprise, as more and more customers are moving to MFA and the hackers are just responding. It is often a surprise to MFA customers that they can be so easily hacked because Microsoft (and Google and the Cybersecurity and Infrastructure Security Agency, among others) have been telling everyone, incorrectly, that MFA stops 99% of all attacks. It does not.
It is also important to note that it is not just Microsoft’s MFA that is susceptible to MitM proxy attacks. Perhaps 90% to 95% of all MFA can be bypassed using the same method. This means the vast majority of MFA can be bypassed and its secret logon codes stolen just as easily as passwords. For this reason, organizations and users should strive to use phishing-resistant MFA whenever possible. There are many different types of MFA solutions that are not susceptible to MitM proxy attacks and which are phishing-resistant. It is unfortunate that most MFA users are not using them. And vendors such as Microsoft and Google (and many others) are working to provide more secure forms of MFA.
If you are interested in an exact list of what MFA is phishing-resistant, here is a list I keep updated as much as possible.
Here are some other previously published articles on phishable MFA written by me:
- Don’t Use Easily Phishable MFA and That’s Most MFA!
- US Government Says to Avoid Phishing-Resistant MFA and Why Is the Majority of Our MFA So Phishable?
In fact, I have an upcoming one hour webinar entitled, “Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant” where I am going to cover what makes or does not make a MFA solution phishing-resistant along with the stronger forms of MFA that better protect end users.
Defenses
But what can you do if you already use a MFA solution that is susceptible to phishing and you cannot easily choose to use a new, more phishing-resistant form?
Education
Education is the key. Simply teaching users to aggressively inspect every link before they click on it could prevent both the majority of phishing attacks, whether they involve MFA or not. Teach your users what a legitimate URL looks like and how to spot rogue links. One way to do that is to recommend all users watch my Combatting Rogue URL webinar.
Also, no matter which type of MFA you choose, educate everyone (i.e., buyers, evaluators, implementers, users, senior management, etc.) on the following topics:
- How the particular MFA solution they are using works
- Strengths and weaknesses of the MFA solution
- How to correctly use the MFA solution
- Known successful attacks against the MFA solution
- What to do during rogue attacks (i.e., how to prevent, reporting the attack, etc.)
You want to defeat MitM proxy attacks? Teach yourself and your co-workers how to spot the rogue URLs that take people to the fake websites in the first place. No other defense works as well. Many vendors and security companies will tell you that using MFA is key to defeating the most attacks. This is not true. MFA is good and everyone should use phishing-resistant MFA where they can to protect valuable data and sites, but preventing users from clicking on bad links will work even better. It works whether you are using passwords, MFA, biometrics, or whatever form of authentication you are using. Microsoft’s announcement is proof that MFA, alone, by itself, often does not work.