It is all too easy to place too much reliance on multifactor authentication (MFA) to protect against phishing attacks. In theory, if an employee is duped by a phishing email and their credentials are stolen, MFA should stop the threat actor from using those credentials to access the account, as they will not have the necessary additional authentication factor(s). The reality is somewhat different. While MFA can – and does – block many attacks where credentials have been obtained, it is far from infallible. MFA has made it much harder to compromise accounts but, in response, threat actors have developed new tactics to bypass MFA protections.
For example, there is a scam where an employee is contacted by an individual who claims to be from their IT department. The scammer tells them there is an issue with their account and they need to update their password. They are directed to a site where they are prompted to enter their password and enter the MFA code sent to their phone. The threat actor uses that information in real-time to access their account. Multiple campaigns have targeted IT helpdesk staff, with the threat actor impersonating an employee. They provide information to verify their identity (obtained in an earlier phase of the campaign) and ask to register a new device to receive their MFA codes.
Phishing-as-a-service toolkits (PhaaS) capable of defeating MFA are advertised on hacking forums and Telegram channels that can be purchased or rented. They involve an adversary-in-the-middle (AitM) attack and use a reverse proxy between the victim and the legitimate portal for the credentials being sought. The user is directed to a login page that appears exactly as expected, as the user is logging into the genuine site. What is unknown to the user is the attacker sits between them and the site and captures credentials and the session cookie after MFA is successfully navigated. The attacker then has access to the account for the duration of the session cookie and can register a new device to receive future codes.
PhaaS kits are a serious threat and are proving popular with cybercriminals. Take the Rockstar 2FA kit for example, which is advertised for $200 for a 2-week subscription. The kit includes everything a phisher needs, including MFA bypass, login pages for targeting specific credentials, session cookie harvesting, undetectable malicious (FUD) links and link redirectors, a host of phishing templates, and an easy-to-use admin panel that allows tracking of phishing campaigns. The phishing URLs available are also hosted on legitimate services such as Google Docs Viewer, Microsoft OneDrive, and LiveAgent – sites commonly trusted by email security solutions. This is just one phishing kit. There are many being offered with similar capabilities.
The take-home message is that MFA, while important, can be bypassed. For maximum protection, phishing-resistant multifactor authentication should be used – e.g. smartcards or FIDO security keys. These MFA tools can be expensive to implement, so at the very least ensure that you have some form of MFA implemented and implement several other layers of defenses. An advanced spam filtering service such as SpamTitan is essential, as it can block phishing emails to ensure they do not reach end users. Review sites often rate SpamTitan as one of the best spam filters for business due to how easy the solution is to use and its excellent detection rate. In November 2024, in tests by Virus Bulletin, SpamTitan blocked 100% of malware and 100% of phishing emails out of a test involving around 125,000 messages. Previous assessments had a catch rate of more than 99.99%, demonstrating the reliability and accuracy of the solution.
Another layer of protection can be provided by a web filter, which will block attempts to visit known malicious websites, such as those used for phishing and malware distribution. WebTitan provides time-of-click protection, as does TitanHQ’s PhishTitan product – an anti-phishing solution specifically developed to protect M365 accounts against phishing by augmenting Microsoft’s controls to catch the phishing emails that EOP and Defender miss.
Technical defenses are important, but so too is workforce training. Through regular security awareness training and phishing simulations, employees can be taught cybersecurity best practices and how to identify and avoid scam emails. If you want to improve your defenses against phishing and malware, give the TitanHQ team a call and have a chat about your options. All TitanHQ solutions are easy to use, are available on a free trial, and full product support is provided during that trial.