How Attackers Bypass MFA Security

Attackers are increasingly bypassing Microsoft Entra Conditional Access (CA) policies by exploiting token handling flaws, policy misconfigurations, and undocumented endpoint behaviors. In a recent Entra.Chat episode, cybersecurity architect Fabian Bader shared real-world techniques and defenses that every security team should understand. 🚨 Bypass Techniques * Token Manipulation: Attackers abuse refresh tokens and insecure client IDs (FOCI) to access resources across apps without re-authentication. * Endpoint Gaps: Some Microsoft Graph and Intune endpoints allow access even when device compliance is enforced elsewhere. * Exclusion Loopholes: A single app exclusion in a CA policy can unintentionally open access across multiple apps. Microsoft Defender & Entra Protections * Continuous Access Evaluation (CAE): Helps revoke access mid-session if risk is detected. * Defender XDR: Now includes built-in analytics for CA policy changes and risky bypass attempts. * Graph Activity Logs: Track token usage and app behavior to detect anomalies. Key Steps for Security Teams * Enforce MFA without exclusions: Maintain a baseline policy with no app exclusions. * Use the “What If” tool: Simulate policy behavior to uncover gaps before attackers do. * Monitor token endpoints: Prefer V2 over V1 for better security and CAE support. * Audit app permissions: Remove unused or risky client IDs. * Test with Maester & Token Tactics V2: Validate policy enforcement across scenarios. Full Video Here: https://lnkd.in/ew9yDv7c

Your MFA isn’t broken. Your help desk is. Here’s how attackers are stealing admin access with one phone call: Most companies think multi-factor authentication keeps them safe. But groups like Scattered Spider don’t need to crack passwords. They bypass security by targeting your weakest link—humans. Last month, they phoned an IT help desk posing as a CFO. They had the executive’s birthday, last four digits of SSN, and employee ID. The help desk believed them. They reset the MFA and handed over full access. Within hours, the attackers: - Logged into the virtual desktop environment - Shared privileged access with new accounts - Stole over 1,400 passwords from CyberArk - Took down a production domain controller - Deleted Azure security rules to block incident response Social engineering beat every technical barrier. Why? Because the verification process was built for speed, not security. If one urgent-sounding request breaks your setup, you have no real defense. Here’s one way to stop it: Start treating identity like infrastructure. Create strict help desk protocols for adding devices, resetting MFA, or handing out employee info. Train staff to verify identity with multiple layers—employee photos, voice verification, known locations. Test it regularly. If it feels like overkill, remember: all it takes is one convincing call. Don’t let your own team become the entry point.

I want to explain an attack that's been getting attention this month, because it challenges something many of us have taken for granted about MFA. The tool is called Evilginx, and it works differently than traditional phishing. Instead of creating a fake login page that harvests your password, it acts as an invisible relay between you and the real website. When you log in, you're actually seeing the genuine Microsoft 365 or Google page—Evilginx is just passing everything through. You enter your password, then your MFA code, and the real site authenticates you. But before that session cookie reaches your browser, Evilginx grabs a copy. That cookie is proof of authentication. Whoever holds it can access the account without needing the password or MFA code again. This matters because the attack happens after MFA does its job. The code verified you were legitimate. The attacker just intercepted the result. FIDO2 security keys and passkeys do solve this—they use cryptographic verification bound to the specific domain, so there's nothing to intercept. But for most SMBs, they're not practical. Hardware keys cost $25-50+ per employee (plus backups), deployment and enrollment create help desk burden, user adoption is a challenge, and not every application supports them yet. The more realistic path for small and mid-sized businesses: conditional access policies for Microsoft 365 or context-aware access for Google Workspace. These let you restrict authentication to approved, managed devices. Even if an attacker steals a session cookie, they can't replay it from their own machine—the policy blocks it. This does mean getting your workstations into Intune or endpoint management, but for most organizations that's a more achievable lift than rolling out hardware keys to every employee. Happy to discuss if anyone wants to dig deeper into what implementation looks like.

Tuesday morning last week. CFO calls me, voice shaking. "Someone from our bank just called. Said there was suspicious activity. Asked for our verification codes. We gave them everything." I close my eyes. Take a breath. "That wasn't your bank." $175,000 gone in 3 minutes. Not because of sophisticated hacking. Not because of advanced malware. Because a voice on the phone sounded convincing. The attacker's playbook was textbook. Called from a number that looked almost legitimate. Knew enough about the company to sound credible. Created urgency. "We need to verify this immediately to protect your account." First employee gave up their MFA codes. Wasn't enough. Attacker stayed calm. "For security, we need a second authorized user to confirm." Second employee handed over their codes too. By the time they called the real bank, the ACH transfer was already processing. Here's what kills me: This attack succeeded because we trained people that MFA makes them safe. We didn't train them that MFA codes are like handing someone your house keys. Once they have them, the locks don't matter. But this story has a twist. The bank's fraud team moved fast. Funds frozen. Recovery in process. Not every business gets this lucky. Here's how to ensure you never need luck: First: Never Give Codes Over the Phone. Ever. Your bank will NEVER call and ask for your MFA codes. Neither will your credit card company. Or your IT provider. Or anyone legitimate. The moment someone asks, you know it's a scam. Second: Implement Callback Procedures Someone calls about your account? Thank them. Hang up. Call the number on your statement or website. Every time. No exceptions. Real representatives understand this. Scammers panic. Third: Deploy Phishing-Resistant MFA Not all MFA is created equal. SMS codes? Voice calls? These can be intercepted or socially engineered. Hardware tokens and biometric authentication can't be shared over the phone. Can't be tricked out of you. Fourth: Train Like Your Business Depends On It Because it does. Run simulations. Test your people. Make the training memorable. Show them real losses from real businesses. Make it personal. Their job security depends on not falling for these attacks. A credit union client implemented our phishing-resistant MFA last quarter. Similar attack hit them two weeks ago. Attacker got an employee on the phone. Asked for codes. Employee's response? "Our MFA doesn't work that way. Nice try." Click. That's the difference between hoping your people remember training and making it impossible for them to fail. Your MFA is only as strong as your weakest human moment. How are you protecting against that?

Microsoft warns of new “Payroll Pirate” scam stealing employees’ direct deposits - ArsTechnica Dan Goodin Among other things, the scammers bypass multi-factor authentication. Microsoft is warning of an active scam that diverts employees' paycheck payments to attacker-controlled accounts after first taking over their profiles on Workday or other cloud-based HR services. Payroll Pirate, as Microsoft says the campaign has been dubbed, gains access to victims’ HR portals by sending them phishing emails that trick the recipients into providing their credentials for logging in to the cloud account. The scammers are able to recover multi-factor authentication codes by using adversary-in-the-middle tactics, which work by sitting between the victims and the site they think they’re logging in to, which is, in fact, a fake site operated by the attackers. Not all MFA is created equal The attackers then enter the intercepted credentials, including the MFA code, into the real site. This tactic, which has grown increasingly common in recent years, underscores the importance of adopting FIDO-compliant forms of MFA, which are immune to such attacks. Once inside the employees’ accounts, the scammers make changes to payroll configurations within Workday. The changes cause direct-deposit payments to be diverted from accounts originally chosen by the employee and instead flow to an account controlled by the attackers. #cybersecurity #Workday #Payroll #PayChecks #MFA #FIDO

AdvisorDefense: The Silent Persistence of BEC - When Expelling the Attacker Isn’t the End Business Email Compromise (BEC) remains one of the most devastating cyber threats to organizations worldwide. While many assume that kicking a threat actor out of their systems ends the attack, a recent Invictus Incident Response case proves otherwise. Sometimes, attackers persist even after being expelled. The Attack: A Sophisticated Adversary-in-the-Middle Tactic The attack began with a well-crafted phishing email disguised as a Dropbox invoice notification. The recipient, believing it to be legitimate, clicked the ‘View on Dropbox’ button and landed on a fake Dropbox login page. Here’s where the real trouble started: ✅ Credentials Captured – The victim entered their login details. ✅ MFA Compromised – The attacker also captured an MFA code, allowing them to bypass additional security layers. ✅ Persistence Achieved – With access to the email account, the attacker configured eM Client, a third-party email application, enabling them to maintain control even after passwords were reset. ✅ Forwarding Rules Set Up – To further maintain access, they created email forwarding rules, ensuring they could continue monitoring inbox activity unnoticed. The victim eventually caught on. After 3 weeks, IT stepped in to reset passwords, remove forwarding rules, revoke active sessions, and uninstall eM Client. The attacker was expelled, or so they thought! The Attack Didn’t End There… Days later, the attacker leveraged the victim’s email identity in new ways: 🚨 Created a Dropbox account using the victim’s email to send fraudulent invoices to the victim’s contacts. 🚨 Set up a WeTransfer account with the victim’s details to distribute more malicious emails. 🚨 Continued the scam, exploiting the trust associated with the victim’s email. Key Lessons: BEC Attacks Go Beyond the Inbox 1️⃣ MFA Alone Isn’t Enough – Many assume that MFA stops BEC attacks, but attackers are evolving. Adversary-in-the-middle (AiTM) tactics allow them to steal both credentials and MFA codes in real time. 2️⃣ Expelling an Attacker Doesn't Always Mean the End – Even after revoking access, attackers can reuse stolen identities elsewhere to continue fraud. 3️⃣ Continuous Monitoring – Check for newly created accounts using corporate email domains and implement dark web monitoring to detect compromised credentials. How to Protect Your Organization from BEC Attacks 🔒 Adopt phishing-resistant MFA solutions. 🔒 Use Conditional Access & Impossible Travel Policies to detect anomalous login activity. 🔒 Regularly review third-party email applications connected to business accounts to spot unauthorized apps. 🔒 Enable DMARC to prevent domain spoofing. 🔒 Educate employees on phishing techniques. Attackers Are Persistent — Your Defense Should Be Too! #Cybersecurity #BEC #EmailSecurity #ThreatIntelligence #Microsoft365Security https://lnkd.in/eNZcDd4X

When we first had the idea behind Abnormal Intelligence, the goal was simple: use Abnormal AI's unique capabilities to find attacks nobody else has seen, then take that research and put it in front of the world. Today's blog post on VENOM just did that. Five months. That's how long this phishing campaign was going after CEOs and CFOs by name before we tracked it down. Not spray-and-pray. Hand-picked. Over 60% of the victims we identified hold C-level, President, or Chairman titles. These are the highest-value targets in any enterprise. But MFA will save you, right? Nope. The platform behind it, VENOM, proxies legitimate Microsoft logins in real time and registers an attacker-controlled MFA device on the victim's account before the browser even finishes redirecting. It also uses Microsoft's own Device Code flow to grab tokens that survive a password reset. Read that again!! This took a cross-functional team and some of the sharpest threat researchers I've ever worked with. Incredibly proud of Piotr Wojtyła, Ryan Devendorf, Callista Hinman Baron, Alexander Blinov, CISA., and Aaron Orchard (I may have annoyed Piotr with how often I asked for status updates on this one.) We've got more threat research dropping soon. This was the first. Link to the blog and full report in comments. If your IR playbook still treats MFA as the last line of defense, fix that. Today.

Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (#MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on #cybercriminal forums to actors who may use the information to conduct additional malicious activity. This advisory provides the actors’ tactics, techniques, and procedures (#TTP) and indicators of compromise (#IOC). The information is derived from FBI engagements with entities impacted by this malicious activity. The authoring agencies recommend #criticalinfrastructure organizations follow the guidance provided in the Mitigations section. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of #authentication. 

MFA raised the bar. Attackers cleared it. Tools like Starkiller and Tycoon2FA changed how account takeover works. These kits proxy the real login page, relay credentials and MFA in real time, and capture the authenticated session. Users complete a normal login. Attackers get a valid session. ◢ Where risk is concentrated: ➢ SMS codes and push approvals. These can be proxied during login. ➢ No phishing-resistant MFA for high-risk access. Passkeys and FIDO security keys bind authentication to the actual domain. The login attempt fails when the domain doesn’t match. ➢ Admin accounts treated like standard users. Email admins, finance, and cloud roles have direct paths to data, systems, and money. ◢ What to do next: ➜ Start with privileged access. Move those accounts to passkeys or FIDO security keys. Pair that with tighter app approvals and identity hygiene. ➜ Expand based on risk. MFA still improves security posture. Higher-risk access needs controls that align with how these attacks operate. ➜ Control where authentication can happen. When access is enforced through a managed browser, you can restrict logins to known, legitimate domains and block known proxy infrastructure. That cuts off the path these kits depend on. ◢ Check out this recent piece by Brian Krebs here: https://lnkd.in/g7ShhYu4 ◢ Learn more about how to approach browser-level control here: https://port1.io/Island #Cybersecurity #MFA #PhishingResistant #Passkeys #FIDOSecurityKeys