Multi-factor authentication (MFA) is widely acknowledged as a key defense mechanism in the battle against cyberattacks. Notably, major organizations like Microsoft tout MFA’s effectiveness, claiming it can prevent nearly all automated attacks and significantly reduce identity theft risks compared to password-only security. This effectiveness has led to a broad embrace of MFA, evident in its adoption ranging from individual social media accounts to comprehensive corporate security systems.
MFA operates by requiring multiple forms of user verification, adding layers of protection. However, it’s crucial to realize that no cybersecurity measure is infallible. Despite MFA’s advantages, savvy cybercriminals have developed methods to bypass it, challenging the notion of absolute security in the digital realm.
Techniques hackers use to bypass MFA
Compromising Accounts and Creating New Inbox Rules
Attackers focus on identity-based attacks, including account compromise and access key theft, which account for a significant portion of cybersecurity incidents. After compromising email accounts, attackers often create inbox rules to hide malicious activities. For instance, in Microsoft 365 account takeovers in early 2023, 50% involved new inbox rules that auto-delete or hide certain emails, reducing detection chances.
Registering New MFA Devices in Azure
To maintain access, attackers register new MFA devices in Azure, detected in about 25% of account takeover cases. This method ensures continued access even after the initial breach.
Bypassing MFA through Advanced Techniques
Attackers are increasingly targeting SaaS applications like Okta and M365 by stealing session cookies and launching MFA fatigue attacks. They also use frameworks such as Evilginx2 to steal login credentials and session cookies for initial access and subsequent bypassing of MFA. About 5% of all identity-related incidents involved these advanced MFA bypass techniques.
Establishing Persistent Access
Once attackers access an email account, they often hide evidence of the attack and then register a new MFA device to maintain persistence. To counter these attacks, adopting FIDO2 and certificate-based authentication is recommended. If not feasible, organizations should deploy phish-resistant MFA or opt for push notifications instead of email, SMS, voice, or TOTPs.
The fact that cybercriminals are developing methods to circumvent MFA is troubling. However, bypassing multi-factor authentication typically requires extensive effort. It’s important to recognize that the situation isn’t entirely negative. Organizations have the capability to detect and thwart MFA bypass attempts before they escalate into full-blown breaches. Enhancing cybersecurity strategies is vital, and one effective approach is conducting phishing attack simulations to test and strengthen defenses.