MFA Under Attack: How Hackers Bypass Multi-Factor Authentication and What You Can Do
Multi-factor authentication (MFA), once considered the gold standard in online security, is increasingly under attack. Threat actors are developing sophisticated techniques to bypass even the most robust MFA implementations, leaving users vulnerable to account compromise and data theft. The rise of adversary-in-the-middle (AiTM) attacks and phishing kits like SessionShark are making it easier than ever for hackers to circumvent traditional MFA methods.
One of the most prevalent methods for bypassing MFA is through adversary-in-the-middle (AiTM) phishing attacks. These attacks involve an attacker intercepting communication between a user and a legitimate service, effectively acting as a proxy. In 2022, a single group used this technique to steal over 10,000 credentials from 137 organizations, leading to the network compromise of authentication provider Twilio. These attacks exploit vulnerabilities in older MFA methods, such as one-time passwords (OTPs) and traditional push notifications, which are easily intercepted or tricked out of users.
Cloudflare successfully defended against such attacks thanks to its use of MFA based on the WebAuthn standard. Services using WebAuthn are highly resistant to AiTM attacks because WebAuthn credentials are cryptographically bound to the URL they authenticate. If an attacker attempts to use the credential on a malicious website, the login will fail.
Another emerging threat is the SessionShark O365 2FA/MFA, an AiTM phishing kit designed to bypass Microsoft Office 365 MFA protections. This kit steals valid user session tokens, allowing attackers to access accounts without needing the required one-time passcode. SessionShark mimics the Office 365 login interface with high fidelity, even adapting to various conditions to increase believability. AI enhances phishing attacks, making it easy for attackers to replicate brands, logos, sign-in windows, and even CAPTCHAs.
According to SlashNext. “A successful credential theft still depends on tricking the victim,” and the kit “mimic the Office 365 login interface with high fidelity” to help attackers harvest credentials even from wary users.”
SlashNext researchers found that the kit is for sale on cybercrime networks. SessionShark offers a range of anti-detection and stealth capabilities to maximize the success of phishing campaigns, including advanced anti-bot technology, a sophisticated site masquerading as a legitimate Office 365 page, evasion of detection by threat intelligence feeds, custom scripts and headers, instant session capturing.
So, what can you do to protect yourself? Experts recommend transitioning to passkeys, which link account access to physical hardware, such as a phone or computer. WebAuthn-based MFA, which is cryptographically tied to both the URL and the device, offers another robust defense against AiTM attacks. Thousands of sites now support WebAuthn, and it's easy for most end users to enroll.
Microsoft, Google and others are pushing passkeys, which enhances resistance to AiTM attacks and phishing. Avoid signing into accounts through login windows accessed via links in emails or messages. Always access accounts through trusted methods, such as directly typing the URL into the browser.
The evolving threat landscape demands a proactive approach to security. By understanding the weaknesses of traditional MFA methods and adopting more secure alternatives like WebAuthn and passkeys, you can significantly reduce your risk of falling victim to these increasingly sophisticated attacks. Stay vigilant, and remember that even the most advanced security measures are only as strong as the user who implements them.
What are your thoughts on the future of MFA? Have you encountered any suspicious login attempts recently? Share your experiences and tips in the comments below.
