How hackers bypass 2FA: Insights from Iconis SOC team

Employing sophisticated methods to bypass multi-factor authentication.
Employing sophisticated methods to bypass multi-factor authentication.

Recent attacks observed by the Iconis SOC team have revealed that hackers are employing increasingly sophisticated methods to bypass multi-factor authentication (MFA). As a security engineer, this trend caught my attention, and in this press release, we will delve into how these attacks are executed and the measures you can take to defend against them.

During a particular incident, our analysis of log events indicated the attackers targeted the user's session cookie. The attack in question involved compromising an Office365 account, despite MFA being enabled and enforced.

The natural question that arises is: How do hackers manage to capture the session cookie?

The answer lies in the use of advanced phishing kits and tools like Evilginx2. These tools enable attackers to execute a man-in-the-middle (MITM) attack by setting up a proxy server between a legitimate site and a malicious phishing domain. When a user enters their credentials on the phishing site, they are prompted for MFA from the legitimate site. The traffic, including the session cookie, is routed through the attacker’s server. As the session cookie is transmitted back to the legitimate site for verification, the hacker intercepts it, allowing them to import the session cookie into their own web browser and bypass MFA to gain access to the user’s account.

How can we defend against this?

The most effective defence against these attacks, as observed in our experience, is to configure conditional access policies – particularly in the context of Office365. These policies can be set to allow access only from specific trusted geographic locations and devices, thereby limiting the attacker’s ability to initiate an unauthorised sign-in. Additionally, conditional access policies can be configured to restrict account access to specific time windows, such as the typical workday (eg, 8am to 5pm local time).

However, it’s important to note that these measures alone are not foolproof. The most robust defence against cyber attacks is a well-educated user base that undergoes regular security awareness training. If you need assistance with user training or securing your environment, the Iconis team is here to help. Feel free to contact us for support.

Share