MFA Bypass in the News: How Abnormal Has Evolved to Stop These Novel Attacks

Unfortunately for all of us, there is an inverse security market out there. Cybercrime is no longer reserved for singular individuals hidden in a dark room, as well-resourced threat groups are operating more like businesses. They are making money not only from their own attacks, but also from selling their attack kits to others who can then use them to run successful attacks of their own.

In particular, threat groups like Robin Banks, EvilProxy, and W3LL are building and selling phishing-as-a-service kits designed to help attackers bypass multi-factor authentication (MFA) protocols—specifically using the tactic of stealing MFA tokens to hijack active authentication sessions. With this dark market, there is a lower barrier to entry for amateur threat actors who simply need to purchase a software license to begin circumventing MFA, which is often seen as a resilient, critical security baseline.

In the latter half of 2023, advisory firm Kroll noted an uptick in attacks resulting in unauthorized account access. Of those organizations that were breached, 90% had MFA in place. That makes one thing for certain: MFA is no longer enough to keep users safe. And once MFA is bypassed, it’s more vital than ever to immediately detect and disable impacted accounts.

Knowing that these attacks will only continue to increase both in volume and sophistication, what can be done to protect critical business platforms and applications from intrusion?

While many static security measures like enabling MFA are no less necessary than they have always been, they must be complemented with dynamic monitoring and analysis of user behaviors.

Attackers may be able to manipulate static access policies to gain entry, but in that process, they often expose themselves through unusual patterns of behavior. By detecting these traits and activities, Abnormal can correlate anomalous events to determine when compromise has occurred—even in the case of relatively nascent tactics like session hijacking. In doing so, Abnormal enables customers to detect when an email account is compromised—even when that compromise has occurred in a way that is typically extremely difficult to detect.

Let’s look at an example that we recently uncovered in a customer environment where the account was compromised via session hijacking. In the image below, we can see that there were three simultaneous sign-ins to this account with at least one of them using saved MFA credentials. The sign-ins came from an ISP, IP, and browser that the user had never used before, and the IP was unfamiliar to the organization overall.

It was also noted that a new device was registered with the MFA protocol, likely in an effort to establish persistence. By doing so, the attacker could then continue to access the account, even when the stolen MFA token expired. Combined, this provides enough signals to determine that this is a true instance of compromise rather than the normal behavior of a user with a new device.

Through the Abnormal platform, the customer was then able to quickly remediate by blocking access, signing out of active sessions, and resetting the account password—stopping the attacker before significant damage could be done.

This is one example in a series of recent MFA bypass attacks we have detected and remediated in customer environments, illustrating the prevalence of this tactic. As these attacks continue to grow in popularity, Abnormal continues to enhance detection efficacy by processing more signals uniquely available through an API architecture, such as MFA device registration and the use of cached credentials. As we process more signals of user behavior, we are also investing in presenting clear, descriptive and actionable activity timelines that make investigation and remediation faster and simpler for analysts.

As an AI-native platform, Abnormal utilizes a variety of machine learning models to determine when compromise has or has not occurred. First, a confidence score is assigned based on the number and severity of signals. A thorough analysis is then conducted into each event that triggered the creation of an Abnormal Case—and those events are labeled and enriched with insights into what made a given event anomalous.

But in the past, these confidence scores and granular behavioral insights (usage frequency for a particular browser, what the correlation is between multiple events in the timeline) were not wholly surfaced in the Abnormal Portal or within Abnormal Cases. Why? Because automatically detecting and remediating account compromise was the primary goal. But as customers integrate with SIEM and XDR solutions—such as the two-way integration made possible through our CrowdStrike partnership—it became apparent that the best way to serve our customers beyond quickly stopping threats was to also provide them with as much data as possible to help them effectively prioritize threats and execute their response playbooks. These insights are now available to all customers through Abnormal’s Account Takeover Protection solution.

Email accounts are a primary target for attackers that use sophisticated MFA bypass techniques; once attackers gain access to accounts, their next steps often involve sending lateral phishing emails to other employees or making configuration changes to cover their tracks.

Thanks to our unique API architecture, only Abnormal can ingest the tens of thousands of user activity signals required to detect account compromises that bypass legacy SEGs and API-based security vendors.

And considering the ramifications of a successful, undetected breach, augmenting access controls with behavioral detection and automated remediation is crucial—helping you protect more today while securing the future against tomorrow’s emerging threats.

Discover more about how Email Account Takeover Protection works and how it can detect MFA bypass techniques by scheduling a demo today.