AiTM Attacks Bypass MFA Despite Widespread Adoption

Despite widespread adoption of multi-factor authentication (MFA) as a critical safeguard against unauthorized access, cybercriminals are once again one step ahead. According to a detailed report by Cisco Talos, threat actors are now bypassing MFA mechanisms using Adversary-in-the-Middle (AiTM) attacks—a tactic that exploits reverse proxies to intercept credentials and session cookies, enabling full account takeover.

“Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies,” the report explains.

The rise of Phishing-as-a-Service (PhaaS) toolkits allow even low-skill attackers to run campaigns with professional-level infrastructure.

Among the most dangerous:

• Tycoon 2FA
• Evilproxy
• Greatness
• Rockstar 2FA
• Mamba 2FA

“The developers behind Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Evilproxy have added features to make them easier to use and harder to detect,” the report wanrs.

These platforms often feature:

• Pre-built phishing templates for popular services
• Link access control and geofencing
• Anti-bot and anti-crawler logic
• Delayed lure activation to avoid email scanners
• Obfuscated JavaScript injection for cookie harvesting

AiTM phishing campaigns follow a distinct pattern:

1. Victim receives a phishing link (e.g., to a fake login page).
2. That link connects to a reverse proxy server, not a clone.
3. Victim enters credentials, which are relayed to the legitimate site.
4. The MFA prompt is passed to the victim as normal.
5. Upon approval, the authentication cookie is intercepted.
6. Attacker uses this cookie to hijack the session—MFA already passed.

“The attacker now possesses both the victim’s username/password as well as an authentication cookie from the legitimate site,” the report explains.

Tools like Evilginx, originally built for red-team testing, are now fueling many of these attacks. Though open source and legitimate in intent, it has been repurposed by malicious actors.

Cisco Talos notes several indicators of Evilginx-powered attacks:

• New or suspicious TLS certificates from Let’s Encrypt
• Session cookies used simultaneously from different IPs
• URL path anomalies from servers not matching legitimate services
• TLS fingerprint mismatches between proxies and real domains

“Unless the attacker is careful, for a time, there will be two different users with different User-Agents and IP addresses using the same session cookie.”

The report highlights WebAuthn, a passwordless authentication method using public-key cryptography, as a robust defense against AiTM threats.

“WebAuthn is essentially passwordless… No passwords are ever entered into a web form, and no passwords are transmitted over the internet.”

WebAuthn protects users in two key ways:

• Origin binding: credentials are tied to specific domains, breaking proxy-based phishing chains.
• No password entry: removes the opportunity for interception entirely.

Unfortunately, adoption remains low despite its strength. Cisco Talos’ telemetry data suggests WebAuthn still accounts for a very small portion of all MFA traffic.

Cisco Talos urges organizations to rethink their authentication strategy in light of these evolving threats:

• Implement phishing-resistant MFA like WebAuthn or hardware tokens
• Audit logs for signs of MFA bypass (e.g., new MFA devices or session reuse anomalies)
• Educate users on verifying URLs and recognizing AiTM lures
• Monitor newly registered domains mimicking internal portals

Related Posts:

• Google Chrome and Mozilla Firefox will support the new password-free standard, WebAuthn
• Tycoon 2FA: The Evolving Threat Bypassing Multi-Factor Authentication
• ESET’s Discovery: Blackwood’s AitM Attacks and the NSPX30 Implant
• Phishing Campaign Bypasses MFA to Target Meta Business Accounts, Putting Millions at Risk
• CISA Warns of Credential Risks Tied to Oracle Cloud Breach