Develop a viable defense and threat actors will inevitably find a way to bypass it. That’s the endless game of cat-and-mouse, especially in the cybersecurity world. A historical example was the old advice to ‘never open an email from someone you don’t know,’ so threat actors now expertly purport to be or impersonate someone (or something, as in the case of a well-known brand) we do know. A more recent example concerns multifactor authentication (MFA). The necessary push for greater implementation of MFA has been met with equal fervor from cyber actors to bypass the security that it provides. With MFA bypass being a frequent occurrence and threat actors’ propensity to violate the world’s most used platforms, it’s crucial for members to be aware of the different techniques being observed, know how to best protect against them, and to share the latest campaigns with end users through security awareness.

Abnormal Security, a pioneer in AI-driven human behavior security, has just published its H2 2024 Email Threat Report. The report highlights the increasing danger of phishing attacks, specifically file-sharing phishing attacks, where attackers leverage well-known file-hosting and e-signature services (Dropbox, Google Docs, DocuSign etc.) to deceive their victims into disclosing sensitive information or inadvertently downloading malware. From June 2023 to June 2024, the volume of file-sharing phishing attacks increased by over 350%, highlighting the continued popularity and shifting nature of email attacks despite the use of MFA.

The report's section titled "Real-World Example of a File-Sharing Phishing Attack" outlines a clear step-by-step process demonstrating how threat actors carry out these attacks, specifically how they bypass MFA. WaterISAC reminds members of CISA's recommendations for adopting phishing-resistant MFA and advises the review of the considerations provided below.

MFA Bypass Defenses for Consideration

To reduce the risk and protect your utility and users from succumbing to MFA bypass, consider the following in your MFA implementation:

• Train it. Include MFA bypass themes, like the ones highlighted in this post, in simulated phishing exercises and awareness education and discussions.
• Configure it. Ensure MFA settings are properly configured to protect against things like "fail open," re-enrollment, or initial device enrollment scenarios.
• Randomize it. Make sure user session identifiers are unique and randomly generated.
• Expire it. Configure timeouts before requiring MFA to a minimum acceptable timeframe (preferably at each login) so a threat actor cannot maintain persistence with a stolen session token.
• Force it. If a user reports repeated unauthorized MFA push notifications, immediately force a password reset.
• Harden it. Implement a FIDO2-compliant (phishing-resistant) security key for multi-factor authentication.
• Fake it. Encourage users to never use real answers in response to recovery questions (and use a password manager to securely store those fake answers).
• Disable it. Disable inactive accounts uniformly in active directory, MFA, etc. so they cannot be leveraged to reenroll in MFA.
• Monitor it. Monitor network logs continuously for suspicious activity.
• Alert it. Implement appropriate security policies to alert on things like impossible logins.

For more information on MFA Bypass, phishing, and phishing resistant MFA, visit SecurityWeek and AT&T.