Got MFA? Attackers Don’t Mind.

Do you mandate that 100% of your accounts require multi-factor authentication (MFA)? If not, why not? The US Cybersecurity and Infrastructure Security Agency (CISA) recommends enabling MFA as one of the foremost measures that your organization can take to reduce the likelihood of a breach. It’s sound advice—reused passwords, weak authentication, and always-on cloud applications make an organization an excellent target for attacks like business email compromise and various other campaigns from all corners of the globe. The question, then, is not about the importance and usefulness of MFA, but asking instead: is it enough?

In a report published just this week , Microsoft lays out how adversary-in-the-middle (AiTM) phishing attacks targeted more than 10,000 organizations since September 2021. It’s a growing threat that our team has already explored extensively in our videos and even simulated in a two-part blog series. In short, attackers sit in the middle of the transaction, tricking users into logging in and satisfying MFA while intercepting the valid session token. While the user arrives at the legitimate site without suspecting a thing, the stolen session token lives for as many as 90 days . The attacker is now fully logged in—post-authentication—and can have several months of unfettered access to data exfiltration, mail forwarding rule creation, and a wealth of other actions granted to that user.

Is this new? This brings me back to the days of Dug Song’s dsniff toolkit over 20 years ago, where man-in-the-middle was gaining in popularity and quite fun to perform against your lab mates (but that’s for another blog). What is new—or at least newer—is the scale this is occurring on, the fact that MFA is now involved, and the frequent targeting of your SaaS identity provider (IDP).

The explosion of this attack vector drove the Obsidian team to develop our own models and launch our own detection and response capabilities to help counter it. Our technology is deployed nearly every day in incident response scenarios because of the increasing number of SaaS account compromises often due to techniques like AiTM.

We’ve especially observed session hijacking in the wild against Okta, Microsoft, and Google Workspace. It’s not just adversaries but also red teams increasingly utilizing this technique. This isn’t limited to a set of these specific applications, either. An AiTM session hijacking attack can occur against just about any SaaS or cloud-hosted system where an attacker can mirror the site and authentication flow while intercepting from the middle. My friend Philip Martin, the Chief Security Officer at Coinbase, even explored the topic of session hijacking in his blog back in 2019 to bring more awareness to the topic.

So, what can we all do about this? In their aforementioned article, Microsoft lays out some quality recommendations, and I’ll add some color here as well:

• Keep using MFA: MFA is still much, much better than no MFA, so keep using it.
• Awareness of session hijacking: First and foremost, the organization needs to understand the risk vector and what to look out for by every employee.
• Conditional Access: Limit authentication to a geographic region, to trusted devices, or utilize other criteria to help reduce the likelihood of success. But beware—attackers against US companies often bounce through US-based VPNs, so while geofencing definitely helps, it isn’t perfect.
• Detection: Detection of session hijacking, or at least of anomalies around authentication and post-authentication activities, is critical.
• Training, Training, Training: Keep those employees as your national guard where everyone helps defend the organization and practice safer technology usage. Phishing is real, and it’s not always through email, but also could be through other communication mediums, targeted ads, and more.

If you’re interested in chatting more about this topic, my team and I are always happy to. Our hope is that the security world better understands the threat vector that is session hijacking in order to better prepare and respond. Good luck, and #shieldsup.