Beyond Phishing-Resistant: How Attackers Bypass Modern MFA and How to Stop Them
For years, cybersecurity experts have championed phishing-resistant multi-factor authentication (MFA) as the gold standard for account security. Technologies like FIDO2, WebAuthn, and passkeys—often using hardware tokens like YubiKeys or built-in biometrics—were designed to make traditional phishing attacks obsolete. By using public-key cryptography, they ensure that even if a user is tricked into visiting a fake website, no usable credential can be stolen.
However, the security landscape is in a constant state of evolution. Threat actors have adapted, developing sophisticated techniques that can bypass even these advanced protections. The era of “unphishable” security has given way to a new reality where attackers don’t just target credentials; they target the authenticated session itself.
The New Frontier of Phishing: Adversary-in-the-Middle (AiTM) Attacks
The primary method hackers use to defeat phishing-resistant MFA is the Adversary-in-the-Middle (AiTM) attack. This isn’t a brute-force attack or a flaw in the cryptography of your security key. Instead, it’s a clever deception that places the attacker directly between you and the service you’re trying to access.
Here’s how an AiTM attack typically unfolds:
The Bait: The attack begins like any other phishing attempt—a carefully crafted email or message convinces the user to click a malicious link. This link leads to a proxy server controlled by the attacker, not the real website.
The Proxy: The attacker’s server acts as a perfect, real-time mirror of the legitimate login page. When the user enters their username and password, the proxy forwards it to the real site.
The MFA Challenge: The legitimate service then issues an MFA challenge. Because the attacker’s server is a live proxy, this challenge is passed directly to the user. The user, believing they are on the correct site, completes the challenge using their hardware key or biometric authenticator.
Session Hijacking: This is the critical step. The user’s successful authentication is passed through the attacker’s proxy to the legitimate service. The service responds by issuing a session cookie, which proves the user is authenticated. The attacker intercepts and steals this session cookie.
The result? The attacker never steals the user’s password or the private key from their hardware token. They don’t need to. With the stolen session cookie, they can bypass the entire login process and gain access to the user’s account, enjoying all the same privileges as the legitimate user.
Why “Phishing-Resistant” Isn’t a Silver Bullet
The core issue is that phishing-resistant standards like FIDO2 were designed to solve the problem of credential theft. They do this exceptionally well. By binding a credential to a specific domain (e.g., google.com), they prevent it from being used on a phishing site (e.g., google-login.com).
However, AiTM attacks sidestep this protection. The authentication is happening with the real service; the attacker is just the invisible intermediary who captures the prize: the authenticated session. This highlights a crucial truth: technology alone cannot solve a human-centric problem. As long as a user can be tricked into initiating the login process from a malicious starting point, the risk remains.
Actionable Steps for True Phishing Resilience
Protecting your organization from AiTM and other advanced threats requires moving beyond a single solution and embracing a layered, defense-in-depth strategy.
Continue to Deploy Phishing-Resistant MFA: Despite these new attacks, FIDO2/WebAuthn and passkeys are still the strongest form of MFA available. They eliminate the vast majority of common phishing attacks and should be considered a foundational layer of security.
Embrace a Zero Trust Architecture: The principle of “never trust, always verify” is central to combating session hijacking. A Zero Trust model continuously assesses trust at every access request. This means security isn’t just about the initial login. Access policies should evaluate signals like device health, user location, IP reputation, and typical login times. If a session cookie suddenly appears in a different country moments after login, a Zero Trust system can flag it as suspicious and require re-authentication.
Strengthen Endpoint Security: AiTM attacks rely on the user interacting with a malicious link. Strong endpoint protection (like an Endpoint Detection and Response, or EDR, solution) can help detect and block access to known phishing domains and identify malicious processes before the user even has a chance to click. Ensuring that only healthy, compliant devices can access corporate resources is a key control.
Enhance Network-Level Monitoring: Monitor network traffic for connections to suspicious domains. While attackers are getting better at hiding their infrastructure, proactive threat intelligence and DNS filtering can block many phishing attempts at the network level.
Double Down on User Education: While AiTM attacks are harder to spot, user awareness remains a critical defense. Train employees to be suspicious of unsolicited requests, to manually verify URLs before entering information, and to report any unusual login prompts or security notifications immediately.
Ultimately, while the term “phishing-resistant” may suggest invincibility, the reality is more nuanced. Modern authentication is a powerful deterrent, but it must be part of a comprehensive security strategy that assumes attacks will occur and is prepared to detect and respond to them in real time.
Source: https://www.bleepingcomputer.com/news/security/how-attackers-are-still-phishing-phishing-resistant-authentication/
