Technical Report
Date: 

MFA-Phishing as Initial Access in Red Teaming

1. General Information

Phishing is one of the largest cyber threats frequently used as an initial access vector by criminal groups (see T1566 - Phishing, MITRE ATT&CK Framework).

In classic phishing, an attacker creates a fake website that visually resembles a legitimate website. The attacker then sends an introduction text that is specifically tailored to phishing purposes and often applies pressure, along with a link to their malicious target page.

The victim is coerced by this pressure into visiting the fake website and entering their login credentials (username and password). An attacker can then use the intercepted login data to gain access to email accounts or perimeter systems (e.g., firewalls or VPN gateways). As a result, potential access to the affected person’s email account can lead to the espionage of personal data or trade secrets. This and other data could be offered for sale on the dark web to criminal actors. Common attack targets are users of cloud services, such as Microsoft 365 or social media platforms. In particular, access to cloud infrastructures intercepted by cybercriminals can serve as a potential gateway into the internal network.

As a protection against phishing attacks and password guessing (brute-force), Multi-Factor Authentication (MFA) has been developed, which has proven to be an effective safeguard. It requires, in addition to the standard login (using username and password), one or more verification factors to grant a person access to an online service. This makes it more difficult for an attacker to gain access to applications using stolen passwords since they still lack the additional factor.

Attackers have developed so-called “MFA phishing” to circumvent Multi-Factor Authentication. The focus of this attack technique lies primarily on intercepting session cookies that are issued after a successful login. Unlike classic session hijacking, the attacker can easily read the username and password, and furthermore, multiple session cookies can be extracted.

To carry out MFA phishing, cybercriminals use well-known open-source frameworks such as Evilginx or Modlishka.

Classic phishing, where a user clicks on a link in a phishing email and is redirected to a specifically crafted page, has been enhanced with a Man-in-the-Middle (MitM) technique. The affected person first connects to a transparent proxy server (a web server between a person and the target website), where the attacker eavesdrops on the communication.

As a result, cybercriminals can intercept sensitive information through the proxy server, as all inputs (e.g., username or password) initially arrive at the proxy server in encrypted form using a TLS certificate. However, since the encrypted communication channel is established between the person and the proxy server, all transmitted data can be decrypted by the proxy, which knows the TLS certificate. Subsequently, the data is re-encrypted before being forwarded to the actual target page.

The following figure illustrates the functionality of the transparent proxy server (Evilginx).

Figure 1: MFA phishing

The detailed procedure for MFA phishing is described as follows:

  1. The user clicks on the link from the phishing email and connects to the Evilginx server.
  2. The Evilginx server mimics the legitimate login page and presents it to the user. 
  3. The person enters their login details and sends them to the Evilginx server which then forwards them to the legitimate login page.
  4. The Evilginx server decrypts the communication and reads the login credentials.
  5. The Evilginx server encrypts the communication and forwards the intercepted data to the legitimate login page.
  6. The legitimate login page requests Multi-Factor Authentication via the Evilginx server to verify the person’s authenticity.
  7. The person sends the two-factor authentication code (e.g., an email token) to the Evilginx server which then forwards them to the legitimate login page.
  8. The legitimate login page checks and confirms the person’s authenticity. It creates a session cookie and sends it via the Evilginx server to the person.
  9. The Evilginx server decrypts the communication and intercepts the session cookie.
  10. The Evilginx server encrypts the communication and sends the session cookie to the person.
  11. The attacker visits the legitimate website and imports the stolen session cookie into their local web browser. The website is then refreshed in the attacker’s browser and access is granted with the victim’s identity.

The following chapter presents the procedure of an MFA phishing attack using an example.

2. Demonstration of an MFA phishing attack by using “Nextcloud”

For illustration purposes, the open-source software Nextcloud was utilized, as it is used in many companies as a file-sharing solution. Additionally, Nextcloud offers a time-based one-time password (TOTP) as an MFA option, which requires an authentication application. It is important to mention that the MFA solution is typically disabled and Nextcloud recommends the use of passkeys.

The TOTP solution was used in this example for demonstration purposes to highlight the security risk. An evaluation of common MFA solutions will be presented in Chapter 3.

The following steps are required to carry out an MFA phishing attack:

2.1 Analysis of the target page

In the first step, the attacker analyzes the software-based login process of the target site. This involves gathering information about various login pages. Subsequently, the names of the cookies and their contents that are issued after the login process are examined.

Furthermore, the attacker examines the implemented security measures to ensure that there is no user account suspension triggered by the reuse of the stolen cookie.

Note: 

As this article is a description of these attacks and not a guide on how to execute them, we have decided not to provide a more detailed analysis.


2.2 Creating a Phishlet

Based on the information collected in Chapter 2.1, the attacker creates a so-called phishlet (configuration file for Evilginx), which contains all the essential information needed to carry out the phishing attack. This includes, for example, the name of the cookies, the target domain and all subpages where authentication and authorisation take place.

When creating the phishlet, configurations can also be implemented that are utilized by the proxy server to perform manipulations on the target site. For instance, adjustments to HTML or JavaScript elements can be made to activate a “Remember Me” function. This allows an attacker to maintain a session either permanently (persistent) or for an extended period.

Note: 

As this article is a description of these attacks and not a guide on how to execute them, we have decided not to show how such a phishlet is constructed.


2.3 Implementation of the MFA phishing attack

The criminal actor sends the phishing email to the target person, who opens the link and connects to the transparent proxy. Through the redirection to the target server, the legitimate target page is displayed on the proxy.

A fake page can be recognized through the URL (see Figure 2) or by examining certificate information. It is important to note that attackers also employ methods to manipulate the URL through a technique known as “URL rewriting”. As a result, the phishing URL in the address bar is overwritten with the legitimate address in the web browser, while the individual remains on the phishing page. This significantly complicates detection efforts.

Figure 2: Comparison between fake (right) and original website (left)

Subsequently, the cybercriminal waits for the target person to perform the login process, during which the valid login credentials and the TOTP code for two-factor authentication are entered for verification purposes (see Figure 3 and 4).

Figure 3: Authorisation via Authenticator (User)

Figure 4: Login history in Evilginx

Figure 5: Intercepted session cookies in Evilginx

Once the target person has entered their login credentials and authentication is complete, the cybercriminal obtains the username, password and the relevant cookies (see Figure 5). The extracted cookies can then be imported into the local browser.

Figure 6: Import of the token in the attacker's local browser


Figure 7: Updating the browser sessionOnce the cookies have been imported into the browser and the webpage has been refreshed, the criminal actor has assumed the identity of the target person (see Figures 6 and 7). This allows for manipulations of files within the cloud or access to sensitive information such as trade secrets.

3. Security Assessment

One of the most important questions is what types of multi-factor authentication exist and which of them are currently considered secure?

The following known MFA types exist:

  • Email or SMS tokens
  • FIDO2 security keys (YubiKey, Passkeys)
  • Time-based one-time password (TOTP)

MFA methods such as email or SMS tokens are considered insecure as they are particularly vulnerable to phishing due to their technical implementation. Email authentication, in particular, is susceptible to hijacking attacks, as the takeover of an email account (e.g., through password guessing (brute force) and the absence of MFA on the email account) allows the authorisation code to be extracted and used.

FIDO2 security keys are currently regarded as secure (phishing-resistant) because they utilize passwordless authentication via asymmetric encryption combined with a challenge-response mechanism, ensuring that the secret key is not disclosed during authentication. The key feature of the FIDO2 security key is that the secret key is stored within the hardware token and cannot be copied or synchronised.

Passkeys serve as an extension of the FIDO2 security key, as they can be synchronized in the cloud and used on multiple devices and for passwordless authentication. Unlike the FIDO2 security key, the user must authenticate themselves to the online service using biometrics (e.g. face scan or fingerprint) via their smartphone to log in.

4. Important Note

It should be noted that not all solutions can guarantee complete security. Over time, attackers will develop new tactics that bypass current security solutions and will be replaced by new ones.

Do you need a comprehensive evaluation of your security mechanisms under realistic conditions?

Our expertise is at your disposal!

This article was written by