What Is a Multi-Factor Authentication (MFA) Bypass?

While this security threat isn't new, it has recently gained popularity, catching headlines as the primary method in some notable attacks and breaches. A report from Okta found that the first half of 2022 saw more attacks against MFA than any other documented year.

It has long been a cybersecurity best practice to enable MFA, with many organizations relying on some form of authentication to verify and authenticate users. CISA reports users are 99% less likely to have their account compromised if MFA is enabled, as MFA helps prevent unauthorized access by requiring users to provide two methods of identity verification.

• First authentication factor: Entering the correct login credentials.

• Second authentication factor: A push notification sent to a phone or a code from a physical token, for example.

When MFA is enabled, users must complete both authentication factors to gain access. This is a strong security protocol. Passwords can get stolen or exposed in data breaches, but MFA codes are harder to obtain since it normally requires direct interaction with the authorized user.

But there are some ways for attackers to bypass the MFA. They may use an account takeover method that wouldn't trigger an MFA request. Or, as is the case in recent attacks, they’ll use social engineering tactics to convince the user to authenticate their login attempt.

There are various methods to bypass the MFA. Here is a round-up of some of the attack strategies aimed at the MFA.

• MFA prompt bombing: Many users have their MFA set up to alert their phones. A threat actor can deliver multiple requests to share the MFA. This creates alert fatigue until the user accepts the authentication to stop the requests.

• Using social engineering: Some threat actors may pose as a trusted source—like a customer service representative or an IT employee—to convince a user to share their authentication token. Threat actors may also pose as the user and call the IT help desk to reset credentials.

• SIM swapping: This is a unique form of social engineering where attackers directly contact a target’s mobile carrier, convincing the carrier to port the victim’s phone number from the original SIM card to the SIM card on a device owned by the threat actor. SMS one-time passcodes (OTPs) now flow to the malicious device, allowing attackers access.

• Implementing brute force: Threat actors will take guesses at what the MFA code is during a brute force attack. It's a trial-and-error approach, and they may get locked out if they try guessing too many times.

• Finding accounts not enrolled in MFA: Cybercriminals may try to find accounts that haven't enabled MFA. This way they only need the username and password to access an account. While an organization can require MFA, accounts of new employees or contractors may not have enrolled yet, making them vulnerable entry points.

• Exploiting legacy authentication to bypass MFA: While modern cloud email platforms support MFA, attackers can circumvent this obstacle through older mail protocols and applications such as IMAP or POP, which do not support MFA but still allow access to the cloud email platform.

• Targeting external systems without MFA: Older or unused systems and apps may not have MFA enabled. Threat actors may target these external systems to try and find an access point to an organization's network. For example, the Colonial Pipeline attack was caused by a single password used on a legacy VPN without MFA enabled.

• Manipulating trusted IP addresses: A trusted network, like on-prem wifi at a corporate office, may not ask for an MFA. Threat actors can spoof IP addresses or use a guest network connection to mimic legitimate users.

• Compromising an authenticated session: If the authentic user has already accessed an account, it may not ask for an MFA again while logged in. Cybercriminals can then take advantage of the already authenticated session and pose as the legitimate user.

Other than the Colonial Pipeline attack mentioned earlier, there are a couple of instances where cybercriminals used an MFA bypass to cause a data breach. Some real-life examples include:

• Uber breach: In September 2022, Uber reported the Lapsus$ hacking group managed to infiltrate their system. The attacker gained access by repeatedly sending a contractor an MFA request until they finally accepted one. Lapsus$ favors the MFA bypass, and they frequently use it to hack into other organizations such as Microsoft, Cisco, Samsung, Nvidia, and Okta.

• AiTM phishing: Microsoft revealed attackers targeted over 10,000 organizations using adversary-in-the-middle (AiTM) phishing sites to steal login credentials and session cookies. A session cookie proves an authenticated session was started. Once stolen, attackers can use it to get authenticated on the user's behalf. After gaining unauthorized access to an account, attackers execute business email compromise (BEC) campaigns.

The Lapsus$ group has a particular affinity for the MFA bypass technique. In their official Telegram channel, attackers traded MFA bypass tips and techniques. “No limit is placed on the amount of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device,” explained one member.

Attackers can only begin to bypass the MFA if they have the proper login credentials. Implementing a strong password policy will make it more difficult for them to hack an account. Organizations should enact password rules like:

• Change passwords regularly.

• Never reuse old passwords.

• Never use the same password across multiple accounts.

• Create passwords with complexity and character standards.

In addition to ensuring your employees use strong and unique passwords, here are a few other ways to prevent an MFA bypass:

• Disable legacy authentication and protocols.

• Review and modify overly permissive conditional access protocols.

• During security awareness training, inform employees their MFA code is as sensitive as their passwords.

• Monitor authentication requests to spot MFA attacks.

• Ensure employees only receive access to limited data needed to accomplish their job responsibilities.

• Consistently auditing and monitoring employee privileges to ensure employees only have access to necessary data, in line with zero trust philosophy.

To learn more about how Abnormal can protect you from account takeovers, schedule a demo today.