Understanding MFA bypass attacks: How attackers use AiTM techniques

Multi-factor authentication (MFA) is increasingly bypassed through sophisticated adversary-in-the-middle (AiTM) phishing attacks, according to Mandiant research. These attacks use web proxies to intercept passwords, MFA codes, and session tokens.

Key insights include:

· Common MFA methods like push notifications and one-time passwords are vulnerable to AiTM attacks
· FIDO2/U2F hardware keys and certificate-based authentication offer better protection
· Detection opportunities exist in monitoring IP address anomalies and new MFA enrollments
· Effective defense requires phishing-resistant MFA and evaluated access policies

To learn more about evolving AiTM threats, read the full research content.