Multi-factor authentication, or MFA, has long been a cornerstone of identity and access management. By requiring users to supplement conventional username/password combinations with additional authentication factors — from fingerprints to one-time passcodes to hard keys — organizations can better protect their networks and data from attacks that make use of stolen credentials.
However, attackers are finding new ways to circumvent MFA. Microsoft recently detected a phishing campaign that targeted over 10,000 organizations using on-path attack techniques. Attackers used reverse-proxy sites to simulate a fraudulent Microsoft 365 login page, from which they could intercept users’ passwords and session cookies — allowing them to bypass MFA measures and gain access to numerous email accounts.
Once attackers breached legitimate user accounts, they created inbox rules that allowed them to carry out targeted business email compromise (BEC) attacks on unsuspecting contacts and maintain access to the accounts, even if users later changed their passwords.
This attack raised alarm bells for organizations that had MFA in place. After all, MFA measures are designed to verify user identity, helping prove that employees, contractors, vendors, and other authorized parties are who they say they are before granting access to sensitive information and systems. When attackers can successfully impersonate legitimate users, the door is wide open.
But MFA isn’t the weak link — nor should organizations ditch it for less robust identity and access management methods. Rather, protecting users and data from advanced cyber attacks requires a comprehensive Zero Trust security strategy, one that uses strong authentication measures to continuously verify and monitor all accounts, applications, and endpoints on a corporate network.
On-path attacks aren’t the only approach attackers have used recently to compromise MFA. The FBI and CISA reported a Russian cyber attack that used a brute force password attack to gain access to an inactive account at a non-governmental organization. Once the attacker gained entry to the account, they used a vulnerability called “PrintNightmare” to run code that gave them system privileges and bypassed standard MFA controls.
In other circumstances, MFA has been compromised due to human error. After Syracuse University implemented MFA on their internal email systems, attackers tried spamming students and staff with an attack called “MFA fatigue.” Attackers used phishing and other methods to gain access to email credentials, then sent multiple MFA requests to user devices in the hope that the user would be too annoyed by the requests to deny them. Once a user approved an authorization request (even if just to silence their phone), the attacker gained further access to university resources and accounts.
Although attackers continue to find new ways of compromising MFA, this doesn’t signal a weakness in MFA protocols themselves. On the contrary: according to Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, using MFA may prevent up to 90% of cyber attack attempts. It’s important to remember that cyber attacks are complex, attackers aren’t simply targeting MFA to breach accounts but rather, as part of a chain of attacks, which may also involve phishing, malware, brute force password guessing, unpatched vulnerability exploits, stolen credentials, or a combination of other tactics.
Relying on any single security tactic won’t protect an organization from increasingly sophisticated attacks. Just as attackers rely on multiple tactics to access sensitive accounts, organizations need a multi-pronged security strategy to protect their users and data.
Zero Trust is a foundational principle of modern cyber security that inherently distrusts any user attempting to gain access to an organization’s resources. This makes it more difficult for attackers — whether they exist outside or inside an organization — to breach a network or account.
In practice, a Zero Trust platform enables organizations to secure their networks via multiple methods, including the following:
Multi-factor authentication: MFA may be implemented using one-time passcodes, push notifications, user biometrics (e.g. fingerprint or facial recognition), security keys, or other methods to verify user and device identity
Continuous monitoring and validation: Users and devices must be reauthenticated continuously, making it difficult for attackers to gain consistent access to a network — even if they are using stolen credentials
Least-privilege access: Users are only given access to the resources they need to use, rather than access to the entire network
Device access control: Devices that connect to the network must be authorized and monitored for signs of suspicious activity
Lateral movement prevention: Microsegmentation helps prevent lateral movement by restricting access to specific areas of the network
With a Zero Trust strategy, MFA-based attacks are far less likely to succeed. Even if an attacker manages to access a user account, they will not be given unfettered access to the entire network, nor will they be able to move laterally without continuously reauthenticating user and device identity.
Cloudflare Zero Trust helps protect corporate networks and users from sophisticated cyber attacks, even those that attempt to exploit MFA measures. Cloudflare’s consolidated Zero Trust platform makes it simple for organizations to enforce consistent least-privilege access controls across cloud, on-premise, and SaaS applications — preventing attackers from breaching sensitive systems and data and moving laterally within organizations.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
After reading this article you will be able to understand:
How attackers use phishing tactics to circumvent MFA
How MFA compromise opens the door to data theft and other attacks
Key strategies to prevent MFA exploitation
MFA is a crucial part of a robust identity and access management strategy. To discover how MFA fits into a broader Zero Trust security model, get the solution brief, How strong authentication helps stop phishing attacks.