Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Threat actors looking for an initial foothold in an environment often find success compromising user accounts. The good news is that multi factor-authentication (MFA) effectively hinders many attackers with access to valid credentials. The bad news? MFA can be bypassed via various techniques that threat actors have developed to get around this security measure.
In responding to ReliaQuest customer incidents, we’ve observed a significant rise in the frequency of MFA bypass attempts against organizations. And there’s more bad news: bypass methods are likely to become more popular and sophisticated in the mid-term future. The commoditization of infostealers, phishing kits, and other tools — many of which are sold on cybercriminal forums — invites threat actors of all kinds to target users on a large scale.
Don’t scrap your MFA; it remains a critical security control. Focus instead on knowing your enemy and relying on defense in depth to harden your environment. Although several bypass techniques are circulating, allow us to introduce you to some of the most utilized methods and show you how we hunt for them.
When an attacker has a user’s credentials but needs to pass an MFA challenge that is protecting the account, they may coerce an account owner into completing the challenge by repeatedly send MFA “push” requests to the target’s email account, their phone, or another registered device. This is known as an MFA fatigue attack. Fatigued and feeling powerless to resist, an unaware user might eventually give in and complete an MFA challenge, unwittingly allowing a successful authentication for the attacker. Users are tricked by these tactics more frequently than one might initially expect – these tactics have been observed in a number of intrusions, such as the high-profile breach that impacted Uber in 2022.
Hunting for Indicators
ReliaQuest’s strategies to hunt for indicators of this technique take advantage of the telemetry produced by the flood of MFA challenge requests. This activity can be identified by looking for the following:
ReliaQuest has detections in place that alert to this kind of activity in real time; the detections are simple and offer relatively high fidelity.
Attackers also bypass MFA by stealing authentication tokens granted to users upon login and completion of their own MFA challenge. With tokens susceptible to theft through infostealer malware and adversary-in-the-middle (AiTM) attacks, the bypass process has been simplified and the barrier to entry lowered. Infostealers infect user devices and harvest authentication information cached by web browsers, while AiTM attacks use phishing and proxy servers to harvest credentials and tokens from users. Thanks to the accessibility of these tools, ReliaQuest has observed a sharp rise in attackers leveraging them for initial access, leading to higher rates of business email compromise (BEC) intrusion scenarios.
Hunting in this manner works because in an AiTM attack, the attacker-owned site through which the user submits their credentials will proxy this information to the legitimate authentication portal. Once the unsuspecting user completes any MFA requirements in place, the attacker is then able to retrieve the user’s credentials along with the authentication token for the newly created session. The attacker will typically then use the harvested authentication token to connect to this session from their own device. Since the attacker’s proxy server and device are usually two separate machines in two separate places, tracking instances in which the same session ID is seen across disparate logon properties can be a good indicator that the user has been targeted in an AiTM attack.
For results that need further vetting, security teams can validate findings returned from these searches by looking for logon properties that are inconsistent with those typically seen for the user. Activity occurring outside of the user’s known work hours or through anonymized IP addresses (such as those associated with VPNs) should also be treated as suspicious. Many authentication vendors offer detection signatures that can be enabled to help flag activity that appears anomalous for the user or entails risky logon properties. These signatures can be useful starting points to hunt on or correlate threat activity.
Improper configurations or legacy systems and protocols that don’t support MFA open the door to attackers. Certain groups may inadvertently be excluded from MFA requirements as a result of policy misconfigurations. On the other hand, some legacy protocols like POP or IMAP don’t support MFA at all and may be leveraged by attackers to bypass this requirement.
Some MFA bypass attacks may be difficult to identify depending on the technique used and the logging available. If an organization has insufficient visibility levels, security teams can opt to hunt for related activity elsewhere in the attack lifecycle.
ReliaQuest frequently observes MFA bypass techniques in primarily two types of intrusion chains:
Regardless of the threat activity that security teams decide to hunt for, the priority should be to “hunt left”. One of the main objectives of threat hunting is to reduce the dwell time of threat actors within the environment. Imagining the attack lifecycle as a flow chart moving left to right (such as in figure 1 below), the principle of “hunting left” places emphasis on looking to identify activity that is more likely to appear in the earlier stages of the attack lifecycle, such as initial access and persistence, that occur before the scope of the compromise becomes more serious and more difficult to contain and remediate.
When a Hunt Can Help
ReliaQuest’s hunting strategies can be used in combination with hardening and detection strategies to build an all-encompassing security program. MFA bypass is one prevalent initial-access attack technique, but other many other techniques are worthy of setting up detections for to continually improve security operations. Relying on defense in depth in this way can help incident response efforts when other security controls fail.
Despite the various techniques that threat actors have developed to circumvent MFA, the situation is not hopeless for security teams. In addition to ensuring MFA is enabled wherever possible, organizations should rely on defense in depth to bolster their environment.
Implementing the following recommendations can help protect users and mitigate the risk of MFA bypass:
The ReliaQuest GreyMatter security operations platform provides threat hunting toolsets and prebuilt packages that can comb through your security tools, systems, and applications to identify threat activity hidden in your network — all from a single console. Using GreyMatter’s Investigate and Hunt modules, security teams are able to identify threat activity in real-time and proactively look for dwelling threats to reduce the risk that attack vectors like MFA bypass present to our clients.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.