Fresh Thoughts #69: Bypassing Multi-Factor Authentication

Children Whispering.

"I thought we used MFA...
How did they get round that?"
- Anon

Bypassing Multi-Factor Authentication

Being in business is about taking risks.
Launching a new service - is a risk.
Going into new markets - is a risk.
In business, we accept risks.

What's essential is that we know the risks we are taking...
And which risks we are accepting.

Our blind spots are the risks we accept tacitly - because we don't know any different.
One of those blindspots is likely how hackers are currently bypassing multi-factor authentication (MFA).

Cybercriminals Are Bypassing MFA Authentication

The idea behind MFA was to prevent weak or stolen passwords from being used by hackers to break into accounts. However, there was a known weakness when the current generation - using SMS, authenticator apps, etc. - was created.

Suppose a hacker or adversary is positioned to relay all messages between two parties - like a game of Chinese Whispers or telephone. The adversary can capture, steal or manipulate any message they see... including the MFA logins.

Then the adversary can re-use these logins as "proof of authenticity" to effectively steal the identity of one or both parties in the chain.

This is the idea of Adversary-In-The-Middle (AiTM) - a well-known problem first published in 1976.

In March 2023, Microsoft published a blog about a group (tracked as Storm-1101) marketing and selling a framework that simplifies AiTM attacks for cybercriminals - to bypass MFA authentication.

In the same way, businesses adapt their service and features to meet market needs, Storm-1101 offer a range of features to make criminals' lives easier. Including:

  • automated setup
  • evading detection using a database of known security services
  • anti-detection-bot CAPTCHAs
  • management from mobile devices
  • a wide range of ready-made pages mimicking services such as Microsoft Office or Outlook

These features have proven so popular that Storm-1101 raised the framework's price from $100 monthly in June 2022 to $300 in December. And Microsoft notes that "millions of phishing emails per day" have been sent using this toolkit.

While there's no word on how many accounts have been ultimately compromised, we can safely assume it is a significant number.

How Can We Stop This?

We have a short window to mitigate this risk before it becomes a critical problem.

This AiTM framework is a stand-alone service that hasn't yet become part of the entry-level, highly industrialised phishing services offered to the most inexperienced cybercriminal. But it is only a matter of time before that happens.

Unfortunately, the mitigations are relatively limited.

Firstly, as a pre-emptive lowest-cost defence, enable Conditional Access in your M365 tenants with appropriate rules. These rules should ensure the device used to log in is known - as well as the person and MFA code.

Secondly, monitor phishing attempts and anomalous logins from unknown devices. This will eventually be a straightforward task, but cybersecurity teams must be alert for the next few years.

June 6, 2023
2 Minutes Read

Related Reads

Brick Wall with Ivy

Fresh Thoughts #68: Do Nothing Until the Risk Becomes Unbearable

That wall is starting to feel like an unacceptable risk. Maybe it's time to schedule some preventative maintenance. Is it time for your executives to review the risks they currently accept in your IT systems?

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868