![Apple Developing AI 'Vibe-Coding' Assistant for Xcode With Anthropic [Report]](https://www.iclarified.com/images/news/97200/97200/97200-640.jpg)
![Apple's New Ads Spotlight Apple Watch for Kids [Video]](https://www.iclarified.com/images/news/97197/97197/97197-640.jpg)
_Inge_Johnsson-Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
![From Art School Drop-out to Microsoft Engineer with Shashi Lo [Podcast #170]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746203291209/439bf16b-c820-4fe8-b69e-94d80533b2df.png?#)
Threat Actors Bypass MFA Using AiTM Attack via Reverse Proxies
Multi-factor authentication (MFA) has long been touted as a robust security measure against phishing attacks, but sophisticated threat actors have developed new techniques to circumvent these protections. A concerning trend has emerged where cybercriminals are successfully bypassing MFA through adversary-in-the-middle (AiTM) attacks implemented via reverse proxies, effectively rendering traditional MFA solutions vulnerable. These attacks represent […] The post Threat Actors Bypass MFA Using AiTM Attack via Reverse Proxies appeared first on Cyber Security News.
Multi-factor authentication (MFA) has long been touted as a robust security measure against phishing attacks, but sophisticated threat actors have developed new techniques to circumvent these protections.
A concerning trend has emerged where cybercriminals are successfully bypassing MFA through adversary-in-the-middle (AiTM) attacks implemented via reverse proxies, effectively rendering traditional MFA solutions vulnerable.
These attacks represent a significant evolution in phishing tactics.
Rather than simply creating fake landing pages to harvest credentials, attackers now position themselves between victims and legitimate websites, intercepting both login credentials and the authentication cookies generated after successful MFA completion.
This sophisticated approach allows attackers to gain full access to protected accounts despite the presence of MFA security measures.
Cisco Talos researchers identified that the proliferation of Phishing-as-a-Service (PhaaS) toolkits has significantly lowered the technical barrier for executing these attacks.
Products such as Tycoon 2FA, Rockstar 2FA, and Evilproxy provide turnkey solutions that enable even technically unsophisticated threat actors to conduct complex MFA bypass operations with minimal effort or understanding of the underlying mechanisms.
The impact of these attacks extends across organizations of all sizes, with particular vulnerability among those who have implemented traditional push-notification or code-based MFA systems.
Once compromised, attackers often establish persistence by adding their own MFA devices to victims’ accounts, maintaining long-term access even if the original credentials are changed.
How AiTM Reverse Proxy Attacks Work
The technical implementation of an AiTM attack follows a specific sequence that exploits the authentication workflow.
When a victim receives a phishing email and clicks on a malicious link, they’re directed to the attacker’s reverse proxy server rather than the legitimate site.
.webp)
The proxy then forwards the connection to the actual website, creating a seemingly authentic experience for the victim.
# Example Evilginx configuration snippet
phishlets:
microsoft:
hostname: login.microsoft.com
path: "/common/oauth2/authorize"
redirect_url: "https://office.com/"
credentials:
username:
field: "login"
search: "name='loginfmt'"
password:
field: "password"
search: "name='passwd'"The attack proceeds through several phases: first, the victim submits their username and password, which the attacker captures as it passes through the reverse proxy.
The attacker then relays these credentials to the legitimate site, triggering a genuine MFA request to the victim. Upon approval, the legitimate site sends an authentication cookie back through the attacker’s proxy where it’s intercepted.
The attacker now possesses both the login credentials and a valid authentication token, effectively bypassing the MFA protection.
Security experts recommend that organizations evaluate WebAuthn as an alternative MFA solution.
This approach uses public key cryptography and binds credentials to specific website origins, making it resistant to these proxy-based interception techniques.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post Threat Actors Bypass MFA Using AiTM Attack via Reverse Proxies appeared first on Cyber Security News.
