How does MFA prevent man-in-the-middle (MiTM) phishing attacks?

For cybercriminals, the appeal of phishing is simple: it’s reliable. At no cost, attackers can target as many employees as they want to gain access to a user account. It’s a numbers game, and they need only fool a single user.

When that happens – and the overwhelming evidence is that it will – attackers neatly sidestep the expensive firewalls, intrusion detection, and network controls designed to keep them out. This vulnerability explains why multi-factor authentication (MFA) now plays such a fundamental role in account security. With MFA, credentials are no longer enough to gain access. The phishing attacker has to up their game.

Unfortunately, they have. MFA is not a silver bullet against phishing, and attackers have developed techniques, like man-in-the middle (MiTM) phishing attacks, that can beat some MFA methods. The problem with MFA is that it is really a general principle applied through a series of very different technologies, some of which are inherently more secure than others. While any MFA is better than none, each type of MFA has its quirks and weaknesses which attackers try to defeat in specific ways.

What is adversary-in-the-middle (AiTM) phishing

One tactic that’s become increasingly popular is the adversary-in-the-middle attack (AiTM), a type of man-in-the-middle (MiTM) phishing attack designed specifically to overcome MFA. In a conventional phishing attack, the user is lured to a convincing-looking phishing server under the attacker’s control, thereby leaking their credentials or data. AiTM attacks take this a step further. This time, the user is lured to a reverse proxy server where their credentials are passed to the genuine server in real time.

For the attackers, this has several advantages. First, MiTM attacks can be hard to detect; as far as the user and the genuine server are concerned, everything looks normal. Indeed, they are normal. All the rogue server is doing is secretly proxying HTTP packets to and from the client and the genuine server in a way that is almost invisible aside from an unusual URL. But everything is not normal; the attackers have logged into the genuine server and now have access to that account, possibly for days or weeks without detection.

Second and most important of all, the tactic can be used to bypass MFA. The attackers hijack the whole session including the session cookies used as part of MFA. This is not strictly a failure of MFA as such – by hijacking the session keys, a successful AiTM attack simply skips MFA altogether by making it look like the user authenticated.

Assuming you can steal them, session cookies seem like an obvious way around MFA, but they exist for a good reason. Without them, web users would have to authenticate themselves every time they access a site in a day, which would quickly become exhausting. Saving session cookies is a compromise. The user is only asked to authenticate at defined intervals.

Recent AiTM attacks

Although AiTM isn’t new, attackers now use it on a large scale thanks to phishing-as-a-service platforms. A good example of this is the Business Email Compromise (BEC) attacks targeting an astonishing 10,000 organizations using Microsoft’s 365 platform during 2021 and 2022. These campaigns unfolded much as described above; phishing emails that led to a spoofed version of the Azure Active Directory (now Microsoft Entra ID) sign-in page convincing enough to mimic an organization’s branding.

Since then, several other similar campaigns detected by security vendors have underlined that attacking MFA in this way is now a standard part of the phishing criminal’s arsenal. This is why phishing isn’t likely to recede any time soon and why according to IS Decisions research, phishing and phishing prevention remain among the most searched for cybersecurity terms.

How to prevent AiTM and MiTM attacks

You can prevent AiTM MFA bypass in several ways. First of all, it’s important to understand that each defense is context specific and might come with caveats.

Careful MFA implementation is key

1. The first line of defense is to deploy MFA across all accounts. MFA is not perfect, but it is vastly superior to no MFA at all.

2. Next, educate users about AiTM attacks and how to spot suspicious URLs. This won’t stop every attack, but basic awareness is always a good starting point.

3. Third, consider deploying different MFA methods for different contexts, for example using tokens for admin accounts. Standard users might receive time-limited push notifications, which uses mobile authentication AiTM attacks can’t access or reused. It’s important to deploy push notifications thoughtfully, however, to avoid MFA fatigue attacks.

4. Finally, seek out MFA that allows granular controls around how and when you prompt users for MFA. This allows admins to monitor and lock down access depending on a variety of conditions, including origin (IP address, country), time of day, session type (VPN, Wi-Fi) and to multiple simultaneous logins from one access point.

Additional ways to improve MFA security

Alongside the above, you can also improve MFA security by changing the way MFA authentication happens by:

Implement conditional access policies such as IP address and device checking

There is, admittedly, a downside to this approach. It’s specific to only one platform and it’s always possible that some conditions could be spoofed.

Migrating to FIDO/2 U2F tokens

These are origin-bound, which means they won’t authenticate if a proxy server is between the user and the genuine site. However, these are expensive and more complex to manage, so admins often save these for privileged accounts.

Opting for secure mobile push authentication

This uses a separate channel for authentication the criminals won’t have access to. Keep in mind, it’s important to carefully select and implement secure push authentication to minimize risk of MFA fatigue attacks.

Limiting the lifespan of session cookies

This places limits on their usefulness but also affects MFA usability for genuine users.