SecureWorld Webinar: Why Password Managers Fail to Secure and How You can Take Back Control
Register Now

MFA Cannot Stand Alone Series – AiTM Attacks and How Unixi Deals With Them

CTO & Co-Founder at Unixi

As part of our 3-part series on MFA weaknesses, this initial post will delve into the Adversary in the Middle attacks, how they circumvent MFA, and how Unixi stops such attacks in different moments of the attack. But first, some background.

Multi Factor Authentication (MFA) is a useful technology that adds security to a credential “handshake”. No serious company or expert claim otherwise; but it has its weaknesses. Although its mainstream adoption took many years, MFA was probably invented sometime in the mid-nineties. In 1995, AT&T filed a patent in the US and the EU for a MFA mechanism. Ericsson and Nokia also filed patents for similar technologies. Interestingly, and probably the subject of another post, Kim Dotcom, the notorious internet activist/showman, has filed for a patent infringement of MFA in 2013 and lost due to AT&T’s patent predating his.

The adoption took time, but when it happened it was swift, and these days many login events are protected by MFA. But hackers were quick to respond, and in fact, MFA has some simple workarounds that cannot be ignored.

Adversary in the Middle (AiTM) is a brilliantly devastating attack. In June 2023, Microsoft released a report detailing successful attacks on MFA protected organizations, including financial institutions. The attack was dubbed Adversary in the Middle attack, and the attacks were sophisticated, and almost unstoppable. In essence, the attackers sent a phishing email with a URL, hosted by Canva, which allowed it to go undetected by traditional anti-phishing tools which use reputation testing. The following is an example of such email, taken from Microsoft’s report:

Once pressed, the link directed the target to a well-made, seemingly real, Microsoft login page. Once the credentials were entered, an MFA prompt was sent to the target (as expected). Once confirmed, the attackers were in.

Like many of the really serious hacks, the consequences of this hacking incident are not clear. Before detection, the hacker group that was names Storm-1167, managed to send more than 16,000 such attacks. We know that the targets were, among others, financial institutions. We also know that access granted to the attackers allowed them full control over the attacked accounts, including the ability to send emails from compromised accounts and to change their security policies. We can only imagine how much angst, frustration, mental and material loss these attacks caused.

Unfortunate, because Unixi would have stopped it in its tracks in two ways.

First, Unixi would have immediately stopped the initial phishing attempt. Unixi’s phishing protection technology, unlike most phishing protection technologies, does not conduct reputation testing to websites. It also doesn’t block access to websites. Rather, it blocks the sending of company credentials following a check of the URL itself, verifying that it fits the usual activity of the company’s employees. Zero false positives; no unauthorized access. In this instance, a URL, even if hosted by Canva, would have not been authorized for credential sending. Therefore, the attack would have been stopped already at that early stage.

The attack would have been stopped also at a second stage, as the risk of credential theft is annulled using Unixi’s patented Credential Protection Engine (CPE). Unixi’s browser extension protects user’s passwords and eliminates credential theft completely. This means that in an event of AiTM attack like the one above, even if the phishing attempt would have been successful, a subsequent attempt to use the user’s credentials would have been futile and unsuccessful.

MFA is a wonderful technology, and that is why clients using Unixi can implement it to any application with a click of a button and zero integration. But it is not a standalone mechanism. Next posts in the series will show how MFA is circumvented using other forms of attacks, and how Unixi deals with those as well.

Reuvein Vinokurov

CTO & Co-Founder at Unixi

Reuvein Vinokurov is the co-founder and CTO of Unixi, where he directs the platform’s core architectural vision and technical innovation. He brings deep enterprise engineering and offensive security expertise, having previously served as VP of Efficiency & Innovation at HUB Security and Offensive Security Team Leader at Comsec. With years of hands-on experience developing advanced automation tools and leading red-team simulations, Reuvein designed Unixi’s proprietary decentralized architecture to achieve 100% single sign-on coverage at the interaction layer. His mission is to dismantle the underlying mechanics of identity theft and credential exposure, turning unmanaged SaaS blind spots into ironclad enterprise security barriers.

Explore more