Attackers Actively Bypassing 2FA
What happened
Adversaries are increasingly using adversary-in-the-middle (AiTM) phishing techniques to bypass multi-factor authentication, as highlighted in a recent security podcast. These attacks intercept authentication flows to steal session cookies, rendering traditional 2FA less effective. This trend requires detection engineering to focus on post-authentication anomalies, like impossible travel or unusual user agent strings.
Why it matters
The industrialization of Phishing-as-a-Service (PhaaS) has dramatically lowered the barrier to entry for sophisticated attacks, making AiTM capabilities available to a wider range of threat actors. Toolkits like Tycoon 2FA, EvilProxy, and Modlishka provide ready-made reverse proxy infrastructure that automates the interception of credentials and session tokens, enabling even less-skilled adversaries to bypass MFA. These services often include features to evade detection, such as CAPTCHA challenges and anti-bot measures to filter out analysis by security tools. From a detection engineering standpoint, identifying AiTM activity requires shifting focus from pre-authentication failures to post-authentication anomalies. One critical use case is detecting "impossible travel," where a user account shows successful logins from geographically distant locations in a timeframe that would be physically impossible. This can be achieved in Splunk by correlating login events, enriching them with geolocation data from IP addresses, and calculating the distance and speed between consecutive logins for each user. A concrete Splunk SPL query to detect impossible travel can be structured to first baseline user login locations and then identify subsequent logins that exceed a plausible speed threshold. For instance, the query can be set to flag any travel over 900 km/h. This requires ingesting authentication logs (like Azure AD sign-in logs), using the `iplocation` command to get coordinates, and then using the `geodistance` function to calculate the distance between login points for a given user within a specific time window.
Key numbers
- These attacks intercept authentication flows to steal session cookies, rendering traditional 2FA less effective.
- Toolkits like Tycoon 2FA, EvilProxy, and Modlishka provide ready-made reverse proxy infrastructure that automates the interception of credentials and session tokens, enabling even less-skilled adversaries to bypass MFA.
- For instance, the query can be set to flag any travel over 900 km/h.
What happens next
- For instance, the query can be set to flag any travel over 900 km/h.
Quick answers
What happened in Attackers Actively Bypassing 2FA?
Adversaries are increasingly using adversary-in-the-middle (AiTM) phishing techniques to bypass multi-factor authentication, as highlighted in a recent security podcast. These attacks intercept authentication flows to steal session cookies, rendering traditional 2FA less effective. This trend requires detection engineering to focus on post-authentication anomalies, like impossible travel or unusual user agent strings.
Why does Attackers Actively Bypassing 2FA matter?
The industrialization of Phishing-as-a-Service (PhaaS) has dramatically lowered the barrier to entry for sophisticated attacks, making AiTM capabilities available to a wider range of threat actors. Toolkits like Tycoon 2FA, EvilProxy, and Modlishka provide ready-made reverse proxy infrastructure that automates the interception of credentials and session tokens, enabling even less-skilled adversaries to bypass MFA. These services often include features to evade detection, such as CAPTCHA challenges and anti-bot measures to filter out analysis by security tools. From a detection engineering standpoint, identifying AiTM activity requires shifting focus from pre-authentication failures to post-authentication anomalies. One critical use case is detecting "impossible travel," where a user account shows successful logins from geographically distant locations in a timeframe that would be physically impossible. This can be achieved in Splunk by correlating login events, enriching them with geolocation data from IP addresses, and calculating the distance and speed between consecutive logins for each user. A concrete Splunk SPL query to detect impossible travel can be structured to first baseline user login locations and then identify subsequent logins that exceed a plausible speed threshold. For instance, the query can be set to flag any travel over 900 km/h. This requires ingesting authentication logs (like Azure AD sign-in logs), using the iplocation command to get coordinates, and then using the geodistance function to calculate the distance between login points for a given user within a specific time window.
