Multifactor authentication is one of the best cybersecurity solutions you can utilize, but MFA is not invincible. Bleeping Computer reports on a new phishing attack that allows the cybercriminal to bypass your MFA. This new attack was identified and researched by Sekoia analysts. These attacks are focusing on both Microsoft 365 and Gmail, so most people need to pay attention and really scrutinize phishy looking emails.

The methodology of attack

This attack starts with a malicious phishing email with a fraudulent link. The link takes the end user  to a security challenge page to ensure only real end users and once passed they are taken to a malicious phishing website. The end user is none the wiser and continues on while the link takes background data from email to create a customized phishing attack on that particular end user. End users are then redirected to another page on the phishing site. Once redirected the end user will be taken to a fake login page asking for credentials. The end user will enter their credential and that information will be used against them when the MFA challenge occurs. Lastly, after the MFA challenge has been bypassed, the end user will be directed again to a fake website that appears to be genuine.

Bleeping Computer simplifies the steps for us:

  • Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
  • Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
  • Stage 2 – Background scripts extract the victim’s email from the URL to customize the phishing attack.
  • Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
  • Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
  • Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
  • Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack’s success.

Defense in depth

You may be asking yourself, “Well if MFA can be beat, what chances do I have?” It is important to remember MFA is not invincible and like all things cybersecurity the answer is defense in depth. This means you are not relying on one single protection point, in this case MFA alone, to protect you.

While having MFA is one of the best ways to ensure unauthorized access to your accounts is drastically reduced, it is also important to ensure your email services are configured to prevent malicious emails from hitting your inbox to begin with. Even with the proper configurations and solutions, sometimes these phishing emails still get through. This is where your firewall and/or endpoint security solution can play its role. In this particular case, Sekoia has published the known malicious URLs. This means you can block those URLs from being accessed on your network or devices. Lastly, train your end users about identifying phishing emails and the importance of reporting those emails. All of these are what makes defense in depth.

Although MFA is not invincible, it’s still highly recommended as one of the best solutions to implement!

Subscribe to our monthly email newsletter to keep your small business up-to-date on all the latest cybersecurity news! For more information on protecting your small business from cyberattacks and other cybersecurity topics check out Small Business, Big Threat!