One of the most common ways threat actors gain access to systems and execute data breaches or ransomware starts with account takeover (ATO). This often occurs by acquiring login credentials through phishing campaigns, infecting machines with malicious software or buying stolen credentials on underground markets. With a username and password, malicious hackers may be able to log in just as a user would and take over their account.
However, online accounts often have multifactor authentication (MFA) enabled. A user needs to present not only valid credentials, but also another factor — something they have, such as a hardware security key; something they know, such as a time sensitive one-time passcode (OTP); or proof of who they are, a biometric identifier. This additional hurdle has posed a problem for cybercriminals and successfully thwarted ATO attempts. But while MFA should be used by all organizations, malicious hackers have developed various techniques to bypass it, and these are posing increasing challenges to enterprises to stop intrusions. In this blog post, we will describe some of the techniques Intel 471 has seen attackers use to bypass MFA.
In 2022, voluminous SMS phishing aka smishing campaigns appeared that mimicked single sign-on, virtual private network (VPN), help desk and other types of login portals in a campaign known as 0ktapus. These phishing links contained domains that mimicked legitimate ones, such as “sso.companyname.com” or “helpdesk.companyname.io.” At a glance, this style of formatting proved convincing enough to snare users. Additionally, phishing links sent to mobile devices may come under less scrutiny. Attackers may also employ techniques such as crafting urgent messages to get victims’ attention in the moment.
In one simple example, a user would click the link and be directed to a fake login portal asking for a username and password and then for the MFA code. This information is collected, sent to a service controlled by the attackers and replayed shortly thereafter before users or organizations detect abnormalities that might indicate an attack. Certain groups, such as those in the Com sphere of threat actors — including LAPSUS$ and Scattered Spider — are known for using this MFA bypass for initial access.
The image depicts a phishing login page captured Feb. 7, 2025, resembling the Citrix Gateway login interface that requests an MFA code.
Defense: The ease at which login credentials can be stolen in phishing schemes and by malware has been a significant attack vector. The most reliable defense is moving to phishing-resistant authentication using Fast Identity Online 2 (FIDO2) and WebAuthn standards, which eliminate passwords and instead use public key cryptography for authentication. When someone signs in, the public key is presented to a service and the service provider presents a challenge that is locally signed by the private key. The private key is never shared with the service provider, so there is nothing for attackers to capture and replay. The passkeys themselves are only accessible on a device they’ve been created on, typically protected by biometric authentication or a personal identification number (PIN). These standards have also been incorporated into hardware security keys, such as Yubikeys, which are widely used as a second factor for strong, phishing-resistant authentication. Absent phishing-resistant authentication, an alternative to better protect login credentials is the use of password managers, which will not enter credentials on incorrect domains.
Some service providers still send MFA codes via SMS, although this delivery method is discouraged due to SIM swapping or hijacking. This attack involves convincing a telecommunications provider to assign a number to a new or different SIM card. With the number reassigned, the malicious hacker will receive any MFA codes or password reset links and can then proceed to take over accounts. This style of attack is particularly favored by threat actors who target cryptocurrency accounts. As the frequency of these attacks ticked up, telecommunications providers have put in strengthened security controls to prevent SMS hijacking. In November 2023, the U.S. Federal Communications Commission (FCC) announced new regulations requiring mobile carriers to adopt robust and secure authentication processes prior to transferring a customer’s phone number to a different device or service provider. This technique is still used but is becoming more difficult.
Defense: There are several defenses. Many telecommunications operators offer a security control that involves adding a PIN to the account that must be relayed to an employee when requesting a number port, although this PIN could be phished. It may also be possible to only allow SIM changes in person in an operator’s store, although some SIM hijacks have been accomplished by hiring accomplices to go into the store with fake identification documents.
An assortment of physical SIM cards.
A prudent defensive measure is to ensure all sensitive online accounts do not send MFA codes over SMS. If possible, convert those accounts to authentication apps that generate OTPs. Another measure is to check how a particular online service does password resets and disallow ones that involve sending a password reset link via SMS.
Authentication processes have been streamlined so users don’t necessarily have to take the extra effort of opening a separate application to retrieve the MFA code. Instead, a user receives a notification on their device asking them to tap a software button to approve a login. This process saves time and streamlines authentication, particularly for sensitive applications whose session tokens may be configured to regularly time out and require frequent re-authentication.
But threat actors realized this is a potential weakness. If a victim’s login credentials are stolen and entered into a service, the victim would receive a push notification to approve the login. If it was timed so that these notifications arrived in the middle of the night, the victim might absent-mindedly approve the login. Bombarding users with notifications, known as MFA bombing or spamming, has proven an effective technique to gaining login approval.
Defense: Organizations should closely evaluate whether enabling push notifications is worth the increased risks. If the answer is yes, it means other security measures will have to be relied on to pick up the slack and detect anomalous logins using valid credentials. That could include behavioral characteristics, such as a user logging in outside the person’s normal working patterns or from an IP address in an abnormal location, or that the login event is coming from an unrecognized device. Some of those data points, however, could be unreliable if more sophisticated attackers seek to mimic them, such as by using residential proxies.
This is one of the most powerful MFA bypasses. Because phishing is a highly effective way to capture personal information, financial data and credentials, attackers have invested resources in consistently improving. One of those developments has been AITM campaigns, where the threat actor's phishing infrastructure sits between victims and legitimate services. Once a user enters their credentials and MFA token or code, that information is funneled to the service provider, which returns a session token or cookie. This type of phishing infrastructure has been distilled into phishing kits available for users in the cybercriminal underground, and also in open source, education-oriented red team projects such as Evilginx2.
An image showing Evinginx2 phishing kits capturing login credentials during a mock phishing attack. (Source: Evilginx via GitHub).
Session tokens or cookies are small data files stored in the browser that enable various functions such as staying logged in to a service or remembering certain preferences. The phishing server is essentially a reverse proxy that collects the session token after it is sent from the service provider to the user. The token is like a golden key and can be reused in a browser for immediate access. In other words, no credentials nor MFA code would be needed to continue to access someone’s account as long as the token has not expired.
Defense: As mentioned before, employing phishing-resistant authentication or password managers would thwart this attack because the attackers would never receive valid credentials to pass onto the service provider in the first place. If this does unfortunately occur, organizations are left to try to detect unauthorized access through other metrics, such IP location, use of Tor or VPNs favored by threat actors or abnormal usage of resources such as exfiltration of large amounts of data.
This is another extremely powerful MFA bypass. OAuth is an authorization protocol for allowing a third party access to data or systems but without revealing the credentials of the requesting party. This is accomplished with the granting of OAuth tokens to the third party, which allow for continual access until the token expires or is revoked. But if captured by attackers, these tokens can be used to access the service and bypass MFA.
One of the most recent examples was the theft of OAuth tokens from the customer relationship management vendor Salesloft. Salesloft offers the artificial intelligence (AI)-powered chatbot Drift that is deployed on customer-facing webpages, collecting customer information and inquiries. Drift can then send that information to a company’s Salesforce instance or email systems where sales teams can act on leads. Drift was authorized to do that via OAuth tokens. An attacker compromised Drift’s Amazon Web Services (AWS) environment, stole the tokens and then eventually exfiltrated large amounts of data from Salesforce instances.
Defense: OAuth “bearer” tokens must be securely stored because leaked or stolen ones can be used to access the resource the token authorizes. The problem has been likened to a hotel room keycard — whoever holds it can open the door. This problem has a solution: Demonstrating Proof of Possession (DPoP), which is an OAuth 2.0 specification. It binds an OAuth token to a public key assigned to a specific client and requires that client to have the corresponding private key to use the token. Otherwise, authorization is denied. These types of tokens are referred to as “sender-constrained” tokens. Adoption of DPoP is growing, with vendors such as Microsoft, Okta and IBM offering support.
The OpenID Foundation has an initiative called Interoperability Profile for Secure Identity in the Enterprise (IPSIE). The project is developing new standards to improve the security around software-as-a-service (SaaS) apps. IPSIE’s focus areas are around single sign-on, user lifecycle management, entitlements, sharing risk signals between SaaS apps, “universal” logout features and OAuth token revocation. This would allow administrators to have more control over access to SaaS applications and what should happen in certain security scenarios.
Intel 471’s Adversary and Malware Intelligence closely follow how threat actors are developing new tactics, techniques and procedures (TTPs) for bypassing MFA. This encompasses how they are gaining initial access, collecting and misusing credentials and technical analysis of phishing and AITM phishing kits. For more information, please contact us.
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Lynx Ransomware is rapidly expanding, targeting organizations across North America and Europe with data theft and double extortion, backed by a growing network of skilled affiliates.
Malware distribution campaigns that trick people into copying and pasting malicious commands, known as ClickFix, have been wildly successful. Here's an examination of ClickFix and how to defend against it.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.