May 16

Multifactor Authentication Bypass Phishing Kits on the Rise

SaaS providers like Google and Microsoft 365 have significantly advanced cybersecurity measures by integrating Multi-Factor Authentication (MFA) as the default user experience (for ex, see here). This extra layer of protection has fortified user accounts against unauthorized access and data breaches. However, as MFA adoption rises, so do the stakes for cyber attackers. Malicious actors are increasingly targeting MFA systems with adversary-in-the-middle phishing kits (see here and here) designed to spoof Microsoft365 and Google accounts.

The adversary-in-the-middle phishing architecture. Source: Proofpoint

These kits are now offered as part of a business model that allows even less technically skilled actors to launch sophisticated attacks, providing all the infrastructure necessary to send professionally looking phishing messages, host lookalike web pages and harvest credentials - all for a daily or monthly subscription fee.

In its recent blog post, Proofpoint is detailing a phishing kit provider known since 2023, called Tycoon 2FA, which is now releasing an updated version of its kit. The group behind Tycoon 2FA sells ready-to-use phishing pages for Microsoft 365 and Gmail via Telegram, with prices starting at $120 for 10 days of access to the service.

Phishing the MS365 MFA experience: looks the same, but the web url is NOT microsoft.com

Tycoon 2FA relies on attacker-controlled infrastructure to host the phishing webpage. Through the use of a “reverse proxy,” the platform allows the interception of victims’ entered credentials. The credentials are then relayed to the legitimate service for a transparent, successful login, prompting MFA requests. The resulting session cookies are relayed back to the threat actors, who can use them to act as the phished user within the infrastructure, including changing passwords, exfiltrating data, reading or sending emails, etc.

Multifactor authentication on Google services through a "third party". Notice the fake url in the browser bar. Source: Evilginx

The look-and-feel i.e. the victim experience looks every bit the same (including MFA prompts!) as a legitimate process when accessing MS365 or Google services. The user is in fact logging into the service, but through the attacker controlled servers.

For a practical illustration how MFA bypass looks like, see the Evilginx framework in action here.

Phishing MFA with Adversary-in-the-Middle (AitM) technique. Source: Microsoft

MFA bypass phishing kits have been around since years already (for ex. EvilProxy), but are now developing fast from a commercial standpoint, acting as software-as-a-service businesses monetizing their offering through subscription services.

These innovations in attackers' phishing techniques show that even popular MFA methods (such as smartphone push based notifications) are rapidly becoming obsolete.

So it's no wonder Microsoft and other vendors are again recommending users to pilot and start deploying phishing-resistant authentication methods. These are relying on public key cryptography and physical tokens. Although more difficult to implement and maintain, a recent standard called FIDO2 is avoiding the most common complexities of such authentication methods, notably implementing a public key infrastructure (PKI).