Social engineering tactics have grown more sophisticated, rendering MFA systems increasingly vulnerable to manipulation by attackers who bypass technical safeguards by tricking users into helping them.
How can we keep up with the evolving techniques used to target humans in authentication bypass efforts which range from phishing schemes and MFA fatigue to SIM-swapping and manipulation of recovery processes?
Let’s look into why each technique has been used with success so that we can understand how to battle the human element of cybersecurity defense.
Social Engineering: The Human Element
The most significant MFA vulnerabilities don’t stem from software flaws or server misconfigurations. They come from exploiting human psychology. Attackers know that if they can trick a person into revealing a code or clicking a link, they can bypass even the most robust authentication system.
Phishing, spear-phishing, and vishing remain some of the most effective methods for attackers targeting authentication systems that are reinforced with MFA. By creating authentic-looking websites and emails, attackers convince users to hand over their credentials and MFA codes willingly. For instance, the Microsoft Office 365 phishing campaign in 2023 used lookalike domains and real-time interception of MFA codes to hijack accounts within seconds of user login.
In a similar vein, the 2023 AT&T breach leveraged a spear-phishing campaign aimed at a third-party contractor to infiltrate AT&T’s systems and steal customer proprietary network information (CPNI) from millions of customers.
Vishing, a newer twist involving voice-based phishing, has also been used effectively. In the 2024 MGM Resorts ransomware attack, attackers used a vishing call to manipulate a staff member into resetting an MFA-protected administrative account, resulting in significant financial and reputational damage.
Social engineering attacks are often non-obvious. We have been privately told about an incident that involved the attackers deliberately breaking software on a victim workstation. When the IT helpdesk of the company logged on to the workstation to assist the victim, the attacker could retrieve the access token for the privileged IT helpdesk account from the compromised computer to access other computers, now with administrative access, until the token expired 12 hours later. Here, although MFA was used to create the helpdesk ticket, the token for the session itself was not protected.
MFA Fatigue (Prompt Bombing)
Attackers also exploit human impatience and confusion through MFA fatigue attacks. By overwhelming users with a barrage of authentication requests, attackers hope the user will approve one out of frustration. The 2022 Uber breach is a prime example, where constant MFA prompts eventually led the victim to grant access.
Once access was available, the attacker was able to exploit the employee’s access without the employee having any awareness it was occurring. Remote entry was not able to differentiate between an attacker and an intended employee. This opened the door to lateral movement with little ability to detect.
SIM-Swapping and SMS Interception
MFA through SMS or text messages, though common, is highly vulnerable to SIM-swapping attacks. In these attacks, the attacker convinces the victim’s mobile carrier to transfer their phone number to a new SIM card controlled by the attacker, allowing them to receive MFA codes via SMS intended for the victim’s phone.
Protecting against SMS vulnerabilities may not be in the direct control of your organization, which is why a layered approach is needed. The goal of the attacker is often to live off the land within the compromised organization.
For the attacker, gaining the first access via MFA bypass is just the first step, after which they can patiently wait to exploit their access. Attackers use lateral movement to avoid the need for SMS interception because internal tools and processes may not even use MFA for validation once the initial authentication session has been compromised.
MFA Code Interception at scale: Phishing-as-a-Service
Phishing-as-a-Service (PhaaS) platforms have lowered the barrier for attackers to automate MFA bypass. These platforms enable attackers to set up phishing campaigns that intercept credentials and MFA tokens in real time. Services like Evilginx2 and Modlishka automate the phishing process, allowing attackers to log in as the victim effortlessly.
The concern here is that the amount of sources an attacker can draw from is growing exponentially, while the defenses have not changed in order to meet the demand. Just like the other attack vectors, the goal is to gain initial access and then to land and expand without the need to deal with MFA at all.
Habituation and Overconfidence: The Subtle Human Weaknesses
MFA prompts are designed to be disruptive, but frequent authentication requests can lead to complacency. Users may develop a habit of blindly approving prompts without thinking. Attackers exploit this habituation through techniques like prompt bombing, but they also rely on users’ overconfidence in MFA. The 2022 Cisco breach demonstrated this, as employees stored credentials in personal password managers that were later compromised.
The reduced vigilance from decision fatigue is also exemplified when mandating highly complex passwords. It may seem secure to mandate difficult passwords that expire regularly and continuous MFA prompting, but the result is employee frustration and new habits that put the authentication process at risk. Passwords are invariably no stronger than the minimum password requirements, and complex passwords often get written down or placed in password managers, which undermines the intended security improvements. .
Repetitive prompts, instilling habituation, can be equally insecure because you are likely to just click through and not see what could be a phishing attempt in action.
Manipulating Account Recovery
Even when MFA is correctly implemented, attackers can bypass it by exploiting account recovery processes. Many organizations fail to apply the same rigor to their recovery workflows as they do to their authentication systems.
The 2024 attack against Snowflake and its high-profile customers was successful largely due to the exploitation of weaknesses in the account recovery process. Attackers targeted these processes, which were not as rigorously protected as the primary authentication systems. By manipulating help desk staff or exploiting poorly designed recovery methods, attackers were able to reset MFA for high-value accounts. This allowed them to gain access without needing to bypass MFA directly, effectively rendering the MFA protections moot.
The impact of controlling the account recovery process is significant. It allows attackers to bypass the intended security measures, accessing sensitive data and systems without triggering the usual alarms associated with MFA breaches. This type of attack highlights the importance of securing not just the authentication process itself, but also the ancillary processes like account recovery, which can be exploited if not properly safeguarded.
Insider Threats and Social Manipulation
Insider threats pose significant risks to MFA security, as they exploit the trust placed in individuals within an organization. These threats can manifest through negligence, coercion, or malicious intent, where insiders may approve fraudulent MFA requests or disable MFA protections for themselves and others.
A layered approach is needed because it provides multiple barriers that an insider must overcome, reducing the likelihood of a successful breach. By implementing robust monitoring systems, organizations can detect unusual patterns of behavior that might indicate insider threats. Additionally, enforcing strict access controls and regularly auditing permissions can help mitigate the risk of insiders exploiting MFA vulnerabilities.
Lateral movement is always a high-value proposition for attackers, as gaining access to one part of a network can allow them to move across systems and reach sensitive data. Insiders, with their inherent access, can facilitate this lateral movement if not properly trained or monitored.
Conclusion
Attackers have evolved their tactics to exploit the human vulnerabilities in authentication. While MFA remains an essential shield, it is only as strong as the people using it. Organizations must remain vigilant, ensuring that their defenses address both the technical and human sides of security.
By implementing a layered security approach including intent-based authentication, MFA, role-based conditional access policies, and robust training programs, organizations can mitigate the risk of MFA bypass.
Cybersecurity is an ever-evolving landscape where defenders must continuously adapt to stay ahead of attackers. The battle is ongoing, and while MFA is a widely used part of enterprise IT security, a layered and proactive approach is necessary to protect against sophisticated bypass techniques.