How Deceptive Phishing Attacks Overcome MFA and EDR—and How to Resist

How AitM Phishing Attacks Bypass MFA and EDR—and How to Fight Back

Assailants are progressively utilizing novel phishing toolkits (open-source, commercial, and illicit) to execute adversary-in-the-middle (AitM) attacks.

AitM allows assailants to not merely gather credentials but pilfer live sessions, granting them the ability to evade conventional phishing prevention mechanisms like MFA, EDR, and email content filtration.

In this piece, we will delve into what AitM phishing entails, how it functions, and what measures organizations must take to pinpoint and obstruct these attacks successfully.

What Constitutes AitM Phishing?

AitM phishing is a tactic that leverages specialized tools to operate as an intermediary between the target and a legitimate sign-in portal for an application.

Being a surrogate for the authentic application, the page will display precisely as anticipated by the user, given that they are logging into the valid site – just taking a brief detour via the malefactor’s device. In the scenario of accessing their webmail, the user will encounter all their genuine emails; if they are accessing their cloud storage, then all their actual files will be visible, and so forth.

This grants AitM a heightened sense of credibility and renders the compromise less conspicuous to the user. Nonetheless, considering that the assailant is positioned centrally in this connection, they can supervise all interactions and also seize control of the authenticated session to take command of the user account.

Despite this access being theoretically transient (since the assailant is incapable of re-authenticating if prompted), in actuality, authenticated sessions can frequently persist for as long as 30 days or more if kept active. Moreover, an array of persistence techniques exist that enable an assailant to sustain some level of access to the user account and/or targeted application indefinitely.

How Do AitM Toolkits Function?

Lets explore the two primary techniques employed to implement AitM phishing: Reverse web proxies (traditional AitM) and Browser-in-the-Middle (BitM) strategies. There exist two principal variations of AitM toolkits:

Reverse web proxy:

This is arguable the most scalable and dependable approach from the attacker’s perspective. When a victim frequents a malevolent domain, HTTP requests are exchanged between the victim’s browser and the authentic site via the malicious site. Upon receipt of an HTTP request, the malicious site dispatches this request to the genuine site it is mimicking, acquires the response, and then channels it back to the victim.

Open-source tools showcasing this methodology encompass Modlishka, Muraena, and the perennially popular Evilginx. In the underworld of crime, analogous private toolsets are also available that have been deployed in numerous breaches in the past.

BitM:

Contrary to serving as a reverse web proxy, this tactic dupes a target into directly administering the attacker’s own browser from a distance employing desktop screen sharing and control methods like VNC and RDP. This empowers the assailant to amass not merely the username and password, but all other associated clandestine specifics and tokens linked to the login.

In this scenario, the victim is not liaising with a synthetic website duplicate or proxy. They are actively directing the attacker’s browser remotely to sign in to the legitimate application without realization. This mirrors an attacker extending their laptop to their victim, soliciting them to sign in to Okta on their behalf, and then retrieving their laptop subsequently. Thank you kindly!

In practical terms, the prevalent modus operandi for implementing this tactic involves leveraging the open-source initiative noVNC, which is a JavaScript-based VNC client that allows VNC to be utilized in the browser. Likely the most recognized illustration of an offensive tool implementing this strategy is EvilnoVNC, which launches Docker instances of VNC and proxies access to them, while concurrently recording keystrokes and cookies to expedite account compromise.

If you desire to discover more about SaaS-native attack methodologies, peruse this blog post.

Phishing is not a recent phenomenon – What has evolved?

Phishing ranks among the earliest cyber security predicaments confronting organizations, with some delineations of identity/phishing onslaughts having been cited as the predominant attack vector since a minimum of 2013. Nevertheless, both the capabilities of phishing utilities and their function in how contemporary assaults unfold have transformed significantly.

As already indicated, AitM toolkits primarily offer assailants a means to sidestep controls like MFA to commandeer workforce identities – endowing access to an extensive array of business applications and services accessed over the web.

The actuality is that we are presently entrenched in a fresh epoch of cyber security, where identity constitutes the new fortress. This denotes that identities present the easiest targets for assailants to exploit when seeking a gateway into a potential victim.

The digital perimeter for organizations has shifted as business IT has evolved away from centralized networks to web-based services and applications.

The fact that assailants are capitalizing on the enhancement and commercialization of sophisticated phishing toolkits is a definitive indicator of the opportunities that identity attacks present. This is corroborated by the data, as:

80% of present-day attacks involve identity and compromised credentials (CrowdStrike).
79% of web application compromises were precipitated by breached credentials (Verizon).
75% of incidents in 2023 lacked malware, and attacks demonstrating “cloud awareness” surged by 110% (CrowdStrike).

Examining recent high-profile breaches sheds light on the profitability for threat actors who exploit workforce credentials to infiltrate web-based business applications. Notably, the highly impactful Snowflake breach stands out as one of the largest security incidents in history.

Threat actors now possess various avenues to inflict significant harm with less arduous endeavors than before. For instance, when targeting an application like Snowflake to exfiltrate data from it, the attack chain is notably shorter compared to conventional network-based attacks. With the rise in adoption of Single Sign-On (SSO) platforms like Okta, a compromised identity can swiftly propagate through applications and accounts, escalating the potential impact radius. Error margins reduce significantly in identity-based attacks such as AitM phishing, necessitating a shift from solely relying on endpoint and network controls for post-facto mitigation.

In this evolving landscape, attacks often transcend traditional perimeters since the required data and functionalities are readily available on the public internet. Consequently, there’s a noticeable surge in attacks targeting Software as a Service (SaaS) applications, with the entire attack lifecycle being concluded outside organizations’ networking frameworks, without interacting with typical endpoints or networks.

AitM phishing toolkits essentially mirror an identity-focused Command and Control (C2) framework. In the realm of endpoint and network assaults, toolsets like Metasploit and Cobalt Strike have increasingly shifted towards post-exploitation activities and automation to facilitate sophisticated compromises. Notably, tools such as Evilginx integrating with GoPhish underscore the trend towards automation and orchestration of phishing campaigns.

Threat Actors Evading Existing Safeguards with Ease

Existing anti-phishing solutions have predominantly focused on safeguarding email inboxes – a prevalent (albeit not singular) attack vector – by blocking known malicious domains. However, the enduring prevalence of phishing attacks signifies that these methods have proven ineffective, historically and presently.

The primary defense strategy against phishing involves preemptively blocking identified malicious URLs, IP addresses, and domain names. Nonetheless, this approach is constrained by the imperative that defenders must first observe and report malicious components, typically post-attack. Consequently, defenders perennially trail behind threat actors, rendering these reactive measures inadequate.

Furthermore, even when flagged, threat actors can easily obfuscate or alter these elements:

Identifying known malicious URLs in emails is rendered futile by the dynamic nature of these components in contemporary phishing campaigns. Each target may receive a distinct email with a unique link, often obfuscated via URL shorteners or embedded within a document, thereby thwarting detection based on URL blacklisting.
Monitoring user connections to IP addresses is circumvented by threat actors swiftly incorporating new IPs into their cloud-hosted servers.
If a designated domain is deemed malicious, threat actors swiftly register new domains or hijack trusted domains like compromised WordPress servers. This strategy has become preeminent as threat actors preemptively secure domains years ahead, ensuring a steady reservoir of reputable domains. Threat actors willingly invest nominal sums ($10-$20 per domain) considering the potential illicit gains.
Dynamic website content adaptation based on visitor origin enables threat actors to evade detection tools, masking the ultimate phishing destination.

For instance, a recent analysis of the NakedPages phishing kit delineated nine discrete tactics employed by threat actors to obscure the phishing site and camouflage its malicious behavior:

Utilizing Cloudflare Workers to legitimize the site’s domain.
Employing Cloudflare Turnstile to thwart bot access.
Enforcing specific URL parameters and headers for HTTP(S) requests.
Mandating JavaScript execution to obfuscate against static analysis tools.
Redirecting to legitimate domains in failure scenarios.
Masking HTTP referer headers for anonymous redirection.
Redirecting to a pool of URLs to sustain malicious links.
Evading simplistic login page signatures.
Targeting exclusively Microsoft work accounts, not personal ones.

Consequently, a novel approach is imperative for expeditiously detecting AitM phishing schemes before victimization occurs.

Fortifying Detections using the Pyramid of Pain

How can defenses be bolstered to promptly identify and obstruct phishing endeavors at first encounter?

The essence lies in identifying indicators resilient to modification by threat actors. Security practitioners have historically leveraged the concept of the Pyramid of Pain as a guiding framework for identifying such steadfast indicators over the years.

Original Pyramid of Pain model, created by David Bianco.

To ascend the Pyramid towards its zenith, the focus should be on identifying progressively generic facets of an attack methodology. Avoid fixating on the code structure of specific malware or its callback locations. Instead, concentrate on discerning the functionality of the malware or its operational outcomes, which are more generic and consequently more intriguing to defenders.

The transition from static code signatures and fuzzy hashes to dynamic assessment of code behaviors on live systems underpins the obsolescence of antivirus technology by Endpoint Detection and Response (EDR) solutions a decade ago. This shift underscores the significance of elevating detection measures up the pyramid.

An effective starting point involves scrutinizing the essential prerequisites for a successful phishing attempt:

Stage 1: Enticing the victim to visit a website.
Stage 2: The websitemust find a way to deceive or persuade the user into believing the site is genuine and trustworthy, like replicating a legitimate site.
Step 3: Users should input their authentic credentials on that website.

We have already established that evading detections based on the initial two steps is simple for attackers to circumvent by changing those signs.

For a phishing attempt to be successful, the target must input their real credentials into the site. Therefore, if you prevent the user from entering their true password, the attack cannot proceed.

So, how can the entry of a password into a phishing site be prevented by users?

Utilizing browser-based security controls

In order to create the kinds of controls that can effectively counteract attackers, a new platform for detection and control enforcement is required – similar to EDR for identities.

There are obvious reasons why the browser is the primary candidate for this task. In various aspects, the browser functions as the modern OS and serves as the main platform for daily work – the access point to the web-based applications and services used by employees regularly, upon which business operations depend.

From a technical viewpoint, the browser offers a superior option compared to other sources of identity data:

The browser presents a significant advantage over other sources of identity attack data.

The browser offers a significant advantage over other sources of identity attack data.

In the browser, you can dynamically engage with the DOM or the displayed web application, including its JS code. This facilitates the easy identification of fields like those for usernames and passwords. You can observe the user’s input and its location without needing to understand how the data is encoded and transmitted back to the application. These are fairly standard fields that can be recognized across your range of applications without requiring elaborate custom code. An ideal vantage point for developing detections around user activity of entering a password.

The browser also provides the extra advantage of being a native control point. You can gather and evaluate data dynamically, and provide an instant response – as opposed to extracting information, analyzing it, and returning with a detection several minutes or hours later (and potentially requiring manual intervention).

Therefore, it is entirely feasible to intercept users at the critical moment (i.e., when a password is input into a field on a phishing site) to prevent the attack before it materializes.

Integrating detection and response capabilities into the browser to counter identity attacks is, therefore, a significant advantage for security teams. There are distinct parallels with the evolution of EDR – originating from the insufficiency of existing endpoint log sources and controls. Today, attempting to detect and respond to endpoint-based attacks without EDR is inconceivable – it is time to contemplate identity attacks and the browser in a similar manner.

For more insights on how browser-based controls can halt identity attacks, read this blog post.

Watch the video below to witness a demonstration of the Evilginx and EvilNoVNC phishing toolkits in operation, and how browser-based security controls can be leveraged to identify and obstruct them before the phishing attempt is finalized.

[embedded content]

If you want to delve deeper into identity attacks and methods to thwart them, explore Push Security – you can experiment with their browser-based agent at no cost!

Admired this article? This content is contributed by one of our esteemed collaborators. Follow us on Twitter and LinkedIn for more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts