Attackers Actively Bypassing 2FA

The industrialization of Phishing-as-a-Service (PhaaS) has dramatically lowered the barrier to entry for sophisticated attacks, making AiTM capabilities available to a wider range of threat actors. Toolkits like Tycoon 2FA, EvilProxy, and Modlishka provide ready-made reverse proxy infrastructure that automates the interception of credentials and session tokens, enabling even less-skilled adversaries to bypass MFA. These services often include features to evade detection, such as CAPTCHA challenges and anti-bot measures to filter out analysis by security tools. From a detection engineering standpoint, identifying AiTM activity requires shifting focus from pre-authentication failures to post-authentication anomalies. One critical use case is detecting "impossible travel," where a user account shows successful logins from geographically distant locations in a timeframe that would be physically impossible. This can be achieved in Splunk by correlating login events, enriching them with geolocation data from IP addresses, and calculating the distance and speed between consecutive logins for each user. A concrete Splunk SPL query to detect impossible travel can be structured to first baseline user login locations and then identify subsequent logins that exceed a plausible speed threshold. For instance, the query can be set to flag any travel over 900 km/h. This requires ingesting authentication logs (like Azure AD sign-in logs), using the `iplocation` command to get coordinates, and then using the `geodistance` function to calculate the distance between login points for a given user within a specific time window.