The Future is Loading

MFA Cannot Stand Alone Series – AiTM Attacks and How UNIXi Deals With Them

Reuvein Vinokurov  |  October 18, 2024

As part of our 3-part series on MFA weaknesses, this initial post will delve into the Adversary in the Middle attacks, how they circumvent MFA, and how UNIXi stops such attacks in different moments of the attack. But first, some background. 

Multi Factor Authentication (MFA) is a useful technology that adds security to a credential “handshake”. No serious company or expert claim otherwise; but it has its weaknesses. Although its mainstream adoption took many years, MFA was probably invented sometime in the mid-nineties. In 1995, AT&T filed a patent in the US and the EU for a MFA mechanism. Ericsson and Nokia also filed patents for similar technologies. Interestingly, and probably the subject of another post, Kim Dotcom, the notorious internet activist/showman, has filed for a patent infringement of MFA in 2013 and lost due to AT&T’s patent predating his.

The adoption took time, but when it happened it was swift, and these days many login events are protected by MFA. But hackers were quick to respond, and in fact, MFA has some simple workarounds that cannot be ignored. 

Adversary in the Middle (AiTM) is a brilliantly devastating attack. In June 2023, Microsoft released a report detailing successful attacks on MFA protected organizations, including financial institutions. The attack was dubbed Adversary in the Middle attack, and the attacks were sophisticated, and almost unstoppable. In essence, the attackers sent a phishing email with a URL, hosted by Canva, which allowed it to go undetected by traditional anti-phishing tools which use reputation testing. The following is an example of such email, taken from Microsoft’s report:

Once pressed, the link directed the target to a well-made, seemingly real, Microsoft login page. Once the credentials were entered, an MFA prompt was sent to the target (as expected). Once confirmed, the attackers were in. 

Like many of the really serious hacks, the consequences of this hacking incident are not clear. Before detection, the hacker group that was names Storm-1167, managed to send more than 16,000 such attacks. We know that the targets were, among others, financial institutions. We also know that access granted to the attackers allowed them full control over the attacked accounts, including the ability to send emails from compromised accounts and to change their security policies. We can only imagine how much angst, frustration, mental and material loss these attacks caused. 

Unfortunate, because UNIXi would have stopped it in its tracks in two ways.

First, UNIXi would have immediately stopped the initial phishing attempt. UNIXi’s phishing protection technology, unlike most phishing protection technologies, does not conduct reputation testing to websites. It also doesn’t block access to websites. Rather, it blocks the sending of company credentials following a check of the URL itself, verifying that it fits the usual activity of the company’s employees. Zero false positives; no unauthorized access. In this instance, a URL, even if hosted by Canva, would have not been authorized for credential sending. Therefore, the attack would have been stopped already at that early stage.

The attack would have been stopped also at a second stage, as the risk of credential theft is annulled using UNIXi’s patented Credential Protection Engine (CPE). UNIXi’s browser extension protects user’s passwords and eliminates credential theft completely. This means that in an event of AiTM attack like the one above, even if the phishing attempt would have been successful, a subsequent attempt to use the user’s credentials would have been futile and unsuccessful.

MFA is a wonderful technology, and that is why clients using UNIXi can implement it to any application with a click of a button and zero integration. But it is not a standalone mechanism. Next posts in the series will show how MFA is circumvented using other forms of attacks, and how UNIXi deals with those as well.

Embrace the future of enterprise identity protection with UNIXi