Threat actors looking for an initial foothold in an environment often find success compromising user accounts. The good news is that multi factor-authentication (MFA) effectively hinders many attackers with access to valid credentials. The bad news? MFA can be bypassed via various techniques that threat actors have developed to get around this security measure. 

In responding to ReliaQuest customer incidents, we’ve observed a significant rise in the frequency of MFA bypass attempts against organizations. And there’s more bad news: bypass methods are likely to become more popular and sophisticated in the mid-term future. The commoditization of infostealers, phishing kits, and other tools — many of which are sold on cybercriminal forums — invites threat actors of all kinds to target users on a large scale. 

Don’t scrap your MFA; it remains a critical security control. Focus instead on knowing your enemy and relying on defense in depth to harden your environment. Although several bypass techniques are circulating, allow us to introduce you to some of the most utilized methods and show you how we hunt for them.

Bypass Route 1: MFA Fatigue

When an attacker has a user’s credentials but needs to pass an MFA challenge that is protecting the account, they may coerce an account owner into completing the challenge by repeatedly send MFA “push” requests to the target’s email account, their phone, or another registered device. This is known as an MFA fatigue attack. Fatigued and feeling powerless to resist, an unaware user might eventually give in and complete an MFA challenge, unwittingly allowing a successful authentication for the attacker. Users are tricked by these tactics more frequently than one might initially expectthese tactics have been observed in a number of intrusions, such as the high-profile breach that impacted Uber in 2022.  

Hunting for Indicators 

ReliaQuest’s strategies to hunt for indicators of this technique take advantage of the telemetry produced by the flood of MFA challenge requests. This activity can be identified by looking for the following: 

  • Multiple Failures Followed by a Success: Several MFA challenge completion failures followed by a successful one is a good indicator that an MFA fatigue attack may have occurred. The ideal number of failures to look out for will vary depending on the environment and the level of “noise” produced, but baselining this activity to determine the appropriate threshold will help to identify these attacks. Looking at the type of failure indicated by the log is also useful. In an MFA fatigue attack, security teams are likely to see several failures resulting from MFA timeouts rather than failures due to explicit denies from the user. 
  • Explicit Denies or Fraud Reports Followed by a Success: Sometimes individuals will explicitly deny an unauthorized MFA challenge or report it as fraud but then accept a follow-up MFA challenge from the threat actor shortly after — likely as an attempt to stop the continuous challenge notifications. This activity can be subject to false positives in cases where users click the fraud or deny button by accident. We can look for those instances with a quick baseline check to reveal deviations in the user’s expected IP address registrants, location, or browser/device types (a user’s login properties). 

ReliaQuest has detections in place that alert to this kind of activity in real time; the detections are simple and offer relatively high fidelity.

Bypass Route 2: Token Theft

Attackers also bypass MFA by stealing authentication tokens granted to users upon login and completion of their own MFA challenge. With tokens susceptible to theft through infostealer malware and adversary-in-the-middle (AiTM) attacks, the bypass process has been simplified and the barrier to entry lowered. Infostealers infect user devices and harvest authentication information cached by web browsers, while AiTM attacks use phishing and proxy servers to harvest credentials and tokens from users. Thanks to the accessibility of these tools, ReliaQuest has observed a sharp rise in attackers leveraging them for initial access, leading to higher rates of business email compromise (BEC) intrusion scenarios.  

Hunting for Indicators 

  • Sessions IDs: The hunting methods here depend on how the token is stolen; but focusing on suspicious activity surrounding the use of session IDs can help security teams zero in on this threat. A single session ID being used across disparate artifacts — such as two different device types — can indicate a stolen token has been used to bypass the typical authentication process (especially in the case of AiTM attacks). 

    Hunting in this manner works because in an AiTM attack, the attacker-owned site through which the user submits their credentials will proxy this information to the legitimate authentication portal. Once the unsuspecting user completes any MFA requirements in place, the attacker is then able to retrieve the user’s credentials along with the authentication token for the newly created session. The attacker will typically then use the harvested authentication token to connect to this session from their own device. Since the attacker’s proxy server and device are usually two separate machines in two separate places, tracking instances in which the same session ID is seen across disparate logon properties can be a good indicator that the user has been targeted in an AiTM attack.

  • Fine Tune Searches: Hunting on this activity can be subject to false positives, especially in environments where token expiration settings are not properly restricted. Some authentication providers will allow token lifetimes to last as long as 90 days. In cases like these, conducting searches to look for activity across shorter timeframes will help cut down the results needing validation. 

For results that need further vetting, security teams can validate findings returned from these searches by looking for logon properties that are inconsistent with those typically seen for the user. Activity occurring outside of the user’s known work hours or through anonymized IP addresses (such as those associated with VPNs) should also be treated as suspicious. Many authentication vendors offer detection signatures that can be enabled to help flag activity that appears anomalous for the user or entails risky logon properties. These signatures can be useful starting points to hunt on or correlate threat activity. 

Bypass Route 3: Targeting MFA Misconfigurations

Improper configurations or legacy systems and protocols that don’t support MFA open the door to attackers. Certain groups may inadvertently be excluded from MFA requirements as a result of policy misconfigurations. On the other hand, some legacy protocols like POP or IMAP don’t support MFA at all and may be leveraged by attackers to bypass this requirement.  

Hunting for Indicators 

  • Authentication Policies: Organizations should regularly validate policies to ensure that they are working as anticipated. With many users and groups to keep track of within an organization, it is sometimes easy for certain users to be left out of security policies, like those forcing MFA. ReliaQuest has seen that service accounts especially are frequent culprits of being excluded from MFA policies and make juicy targets for attackers to abuse. Additionally, more complex policies like conditional access requirements may be poorly configured or defined too narrowly, allowing attackers to authenticate without MFA under certain risky conditions. Hunting on authentication activity in which users are never prompted for MFA upon login can help security teams identify these gaps.
  • Protocols Incompatible with MFA: Rather than attempting to enumerate all the protocols that might be subject to abuse, we can simply identify the user agents that are observed infrequently within the environment. This method can help save time by shifting focus to anomalous events that might indicate an unexpected protocol is being abused. It is worth noting that Microsoft utilizes user agent strings such as “BAV2ROPC”, “CBAinPROD”, and “CBAinTAR” to indicate when legacy protocols are in use. Looking for these artifacts can also serve as a good starting point for the identification of potential threat activity.

Hunting Left

Some MFA bypass attacks may be difficult to identify depending on the technique used and the logging available. If an organization has insufficient visibility levels, security teams can opt to hunt for related activity elsewhere in the attack lifecycle.  

ReliaQuest frequently observes MFA bypass techniques in primarily two types of intrusion chains: 

  • Business Email Compromise: BEC incidents1 have risen sharply over the past several months and often start with MFA bypass. Security teams can identify threat activity by hunting on BEC-related techniques such as:
    • Suspicious inbox rule creations to evade detection.2
    • Internal phishing campaigns via compromised accounts to move laterally.3
    • Email forwarding rule creations and spikes in user file access/downloads to collect sensitive data.4
  • VPN Account Compromise: MFA bypass is also likely to occur in conjunction with the compromise of externally facing assets, commonly VPNs.5 External assets provide attackers with a viable initial point of access—one that lies outside the initial lines of defense. The credentials to VPN accounts and similar applications are frequently sold by initial access brokers to other attackers; if an attacker can bypass any MFA mechanisms in place, they will likely use that foothold to identify additional pivot points. Identifying evidence of discovery activity6, especially sourcing from an externally facing asset, likely indicates an attacker has gained unauthorized access to the environment.

Regardless of the threat activity that security teams decide to hunt for, the priority should be to “hunt left”. One of the main objectives of threat hunting is to reduce the dwell time of threat actors within the environment. Imagining the attack lifecycle as a flow chart moving left to right (such as in figure 1 below), the principle of “hunting left” places emphasis on looking to identify activity that is more likely to appear in the earlier stages of the attack lifecycle, such as initial access and persistence, that occur before the scope of the compromise becomes more serious and more difficult to contain and remediate.

Figure 1: Simplified attack lifecycle model 

When a Hunt Can Help

ReliaQuest’s hunting strategies can be used in combination with hardening and detection strategies to build an all-encompassing security program. MFA bypass is one prevalent initial-access attack technique, but other many other techniques are worthy of setting up detections for to continually improve security operations. Relying on defense in depth in this way can help incident response efforts when other security controls fail.

Mitigating the MFA Bypass Threat

Despite the various techniques that threat actors have developed to circumvent MFA, the situation is not hopeless for security teams. In addition to ensuring MFA is enabled wherever possible, organizations should rely on defense in depth to bolster their environment. 

Implementing the following recommendations can help protect users and mitigate the risk of MFA bypass:

  • Educate Users on Common Phishing Tactics: While crucial in combating phishing attempts, user training is often challenging to implement effectively. Security teams should never rely on the user completely, but empowering users with a proper education on the social engineering tactics used by attackers can help them become more adept at detecting these attempts and will contribute to the organization’s overall security.
  • Trusted Devices: Implementing a certificate-based authentication policy allows administrators to assign certificates to certain recognized and trusted devices. This helps prevent unauthorized access to corporate resources by blocking authentications from any unrecognized devices, ultimately protecting the user from attackers operating remotely with stolen credentials or tokens.
  • Limit Token Lifetimes: Many MFA bypass methods rely on token theft and the attacker's ability to maintain persistence in the environment long enough to establish a more permanent foothold. By reducing the time before a token expires, security teams can make it more difficult for attackers to utilize stolen tokens for initial access. The ideal expiration time will vary; security teams should find a balance between the hindrance imposed on users through repeated authentications and the security gained by shorter token lifetimes.
  • Don’t Operate Blindly: If organizations aren’t logging key activity, they won't be able to detect or identify certain attack vectors when they occur. Incident/pen test reviews and threat hunting will help security teams assess their visibility levels within the environment and determine where gaps exist. When budgets allow, security teams should work to enable beneficial telemetry and send it to a place where it can be accessed and alerted on, such as a SIEM or data lake. In the case of MFA, many authentication providers provide advanced information such as risk indicators and other signatures that provide additional insight into events that are potentially malicious in nature. These additional logging options usually are not costly from an events per second (EPS) standpoint - especially when compared to the benefits they provide.
  • MFA Options: The MFA solution that fits your organization depends largely on several factors such as business requirements, infrastructure, applications, and more. Any form of MFA is better than none, but certain implementations of MFA help protect the user more than others. For example, instead of simply accepting a push, some MFA mechanisms force users to perform a number match in which they must select a number that is consistent with what they see on the login screen – this mechanism is generally more resilient to fatigue-based attacks. Additionally, organizations should utilize MFA lockout options to limit the number of MFA attempts allowed. Organizations can also take advantage of biometrics or physical MFA solutions like hardware tokens, though these are also susceptible to certain forms of social engineering.

The ReliaQuest GreyMatter security operations platform provides threat hunting toolsets and prebuilt packages that can comb through your security tools, systems, and applications to identify threat activity hidden in your network — all from a single console. Using GreyMatter’s Investigate and Hunt modules, security teams are able to identify threat activity in real-time and proactively look for dwelling threats to reduce the risk that attack vectors like MFA bypass present to our clients.