MFA Bypass in the News: How Abnormal Has Evolved to Stop These Novel Attacks

As attackers learn how to bypass MFA, detecting and remediating compromised accounts is more important than ever. Here’s how Abnormal does it.
December 21, 2023

Unfortunately for all of us, there is an inverse security market out there. Cybercrime is no longer reserved for singular individuals hidden in a dark room, as well-resourced threat groups are operating more like businesses. They are making money not only from their own attacks, but also from selling their attack kits to others who can then use them to run successful attacks of their own.

In particular, threat groups like Robin Banks, EvilProxy, and W3LL are building and selling phishing-as-a-service kits designed to help attackers bypass multi-factor authentication (MFA) protocols—specifically using the tactic of stealing MFA tokens to hijack active authentication sessions. With this dark market, there is a lower barrier to entry for amateur threat actors who simply need to purchase a software license to begin circumventing MFA, which is often seen as a resilient, critical security baseline.

In the latter half of 2023, advisory firm Kroll noted an uptick in attacks resulting in unauthorized account access. Of those organizations that were breached, 90% had MFA in place. That makes one thing for certain: MFA is no longer enough to keep users safe. And once MFA is bypassed, it’s more vital than ever to immediately detect and disable impacted accounts.

Knowing that these attacks will only continue to increase both in volume and sophistication, what can be done to protect critical business platforms and applications from intrusion?

Attackers Compromise Accounts Through Bypassing MFA Techniques

While many static security measures like enabling MFA are no less necessary than they have always been, they must be complemented with dynamic monitoring and analysis of user behaviors.

Attackers may be able to manipulate static access policies to gain entry, but in that process, they often expose themselves through unusual patterns of behavior. By detecting these traits and activities, Abnormal can correlate anomalous events to determine when compromise has occurred—even in the case of relatively nascent tactics like session hijacking. In doing so, Abnormal enables customers to detect when an email account is compromised—even when that compromise has occurred in a way that is typically extremely difficult to detect.

Let’s look at an example that we recently uncovered in a customer environment where the account was compromised via session hijacking. In the image below, we can see that there were three simultaneous sign-ins to this account with at least one of them using saved MFA credentials. The sign-ins came from an ISP, IP, and browser that the user had never used before, and the IP was unfamiliar to the organization overall.


It was also noted that a new device was registered with the MFA protocol, likely in an effort to establish persistence. By doing so, the attacker could then continue to access the account, even when the stolen MFA token expired. Combined, this provides enough signals to determine that this is a true instance of compromise rather than the normal behavior of a user with a new device.


Through the Abnormal platform, the customer was then able to quickly remediate by blocking access, signing out of active sessions, and resetting the account password—stopping the attacker before significant damage could be done.

Know Your Users to Know Your Risk: New Insights Available

This is one example in a series of recent MFA bypass attacks we have detected and remediated in customer environments, illustrating the prevalence of this tactic. As these attacks continue to grow in popularity, Abnormal continues to enhance detection efficacy by processing more signals uniquely available through an API architecture, such as MFA device registration and the use of cached credentials. As we process more signals of user behavior, we are also investing in presenting clear, descriptive and actionable activity timelines that make investigation and remediation faster and simpler for analysts.

As an AI-native platform, Abnormal utilizes a variety of machine learning models to determine when compromise has or has not occurred. First, a confidence score is assigned based on the number and severity of signals. A thorough analysis is then conducted into each event that triggered the creation of an Abnormal Case—and those events are labeled and enriched with insights into what made a given event anomalous.

But in the past, these confidence scores and granular behavioral insights (usage frequency for a particular browser, what the correlation is between multiple events in the timeline) were not wholly surfaced in the Abnormal Portal or within Abnormal Cases. Why? Because automatically detecting and remediating account compromise was the primary goal. But as customers integrate with SIEM and XDR solutions—such as the two-way integration made possible through our CrowdStrike partnership—it became apparent that the best way to serve our customers beyond quickly stopping threats was to also provide them with as much data as possible to help them effectively prioritize threats and execute their response playbooks. These insights are now available to all customers through Abnormal’s Account Takeover Protection solution.

Why Abnormal

Email accounts are a primary target for attackers that use sophisticated MFA bypass techniques; once attackers gain access to accounts, their next steps often involve sending lateral phishing emails to other employees or making configuration changes to cover their tracks.

Thanks to our unique API architecture, only Abnormal can ingest the tens of thousands of user activity signals required to detect account compromises that bypass legacy SEGs and API-based security vendors.

And considering the ramifications of a successful, undetected breach, augmenting access controls with behavioral detection and automated remediation is crucial—helping you protect more today while securing the future against tomorrow’s emerging threats.

Discover more about how Email Account Takeover Protection works and how it can detect MFA bypass techniques by scheduling a demo today.

Schedule a Demo
MFA Bypass in the News: How Abnormal Has Evolved to Stop These Novel Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 MKT477 Energy Infrastructure Data Blog
Energy and infrastructure organizations face an increased risk of business email compromise and vendor email compromise attacks. Learn more.
Read More
B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More