How MFA is Bypassed: Attacker in the Middle

Curious about attacker in the middle breaches? This video explains what they are, how they happen, and how Beyond Identity can stop them before they start.


Hi, I'm Joshua from Beyond Identity, and we need to talk about attacker in the middle attacks, also known as man in the middle and session hijacking.

The most high-profile and recently successful cyber attacks we've seen have utilized this method to bypass legacy MFA options. These attacks are not theoretical. As noted in Microsoft's blog, there are readily available phishing kits that make this attack as easy as painting by numbers. There are a few ways this attack is executed, but when successful, have the same result. Let's go over the tactic we typically see.

First, the attacker deploys a web server that proxies HTTP packets from the user. This server connects the user to the site they wish to visit while impersonating it at the same time. This means the attacker's phishing site is visually identical to the original website the user wishes to log into. The URL is the only visible difference between the phishing site and the actual one. And we can't expect the average user to always see the difference in a URL.

The proxied website functions as an attacker in the middle agent, intercepting the whole authentication process and extracting valuable data such as passwords and more importantly, session cookies. Once the attacker obtains the session cookie, they can inject it into their browser to skip the authentication process, even if the target's MFA is enabled. The session cookie tells the website that they are clear to be logged in. It's their key to the palace. MFA has been successfully bypassed.

To combat this, users need to use phishing-resistant MFA. This will stop any credentials being stolen and reused during an attack. In addition, organizations need to complement this strong MFA with conditional access policies, where sign-in requests are evaluated using additional identity-driven signals like user or group membership, IP location information, and device security posture, among others. With Beyond Identity, there are no passwords or phishable factors for that matter.

Additionally, Beyond Identity performs an operation known as Origin Domain Binding, which ensures the attack fails for these sets of fake URLs. Should an attacker try to use this method to steal credentials, they wouldn't be able to. And Beyond Identity's crowning achievement is our robust, risk-based policy engine and continuous authentication.

With Beyond Identity, you can set a list of security policies a device must meet for the authentication to be approved. The policy engine can evaluate for things like if a firewall is enabled, whether the operating system is up to date, and when and where a user is logging in from. If a device does not meet these policies, the authentication will be unsuccessful and you could even automatically quarantine the device.

Using a session cookie on a device outside of this risk-based policy renders that session cookie useless for an attacker. After the initial authentication, Beyond Identity automatically checks that the device remains within policy as frequently as every 10 minutes, re-validating the device security in the background without adding any friction to the user. A truly invisible, continuous authentication experience.

With Beyond Identity, you are always verifying and never trusting. Let us take on your burden of authentication and help you lay down your foundation for your zero trust architecture.