By Anjali Gopinadhan Nair, CSO Magazine
Click here to read the entire article.
Scary news: Hackers aren’t “breaking” your MFA anymore — they’re just riding shotgun during your login to steal the session token right out from under you.
Multi-factor authentication was supposed to be the solution. For years, security teams have told employees that MFA would keep them safe. Password stolen? No problem — attackers still need that second factor.
But adversary-in-the-middle (AiTM) phishing has changed everything. These attacks do not try to steal passwords and MFA codes separately. They capture the entire authentication flow in real time, including the session token that proves a user is logged in. The employee does everything right — checks for HTTPS, verifies the MFA prompt, avoids suspicious attachments — and still gets compromised.
This should concern every security leader. If our training, our MFA and our security awareness programs cannot protect someone who is genuinely trying to be careful, then what exactly are we promising when we tell users MFA will keep them safe?
Why this is not the phishing you trained for
Traditional phishing meant sloppy fake login pages with typos and dodgy URLs. Those pages could not handle MFA because they had no connection to the real authentication service.
Here is what changed, and I wish more security leaders understood this: modern phishing pages are not fake. They are proxies.
Tools like Evilginx sit between the user and the legitimate service — Microsoft, Google, Okta, whatever — and relay everything in real time. The employee types their password. It goes to Microsoft. Microsoft sends the MFA challenge. It flows back through the proxy to the employee’s phone. The employee approves it. The session cookie — that golden token proving authentication — passes right back through the proxy into the attacker’s hands.