Friday, October 1, 2021

Method to Bypass MFA

We all get those phishing emails trying to trick us into going to a website with a login that looks legitimate. Such as a Microsoft 365 authentication page with a URL that looks close enough to be right and a very convincing web page. If you have MFA (Multi-Factor Authentication) then no problem! If you do manage to put in your email/username and password, because if a thief gets that information they still need to get the code from your phone.

So what if I was to just setup a proxy site that tricks you into inputting that information. What I mean is to trick you into inputting data into a form that passes that to a remote computer in real-time and then you get the code and put that in as well. Now I have access to your account and can change your password and even lock you out by changing the MFA method. Here are the steps. Note I have not attempted this proof of concept, this is theoretical but needs to be addressed as a possible way to bypass what we believe to be a very secure methodology.

Step 1: Create a fake login site, this is done all the time and instead of recording the username/email  address and password that gets passed back to another computer in real-time.

Step 2: If the account does not have MFA then no problem, your in. The attacker sets up MFA on your account and changes the password. Or they do what they do most of the time and just send out junk emails or steal data. BUT if you do have MFA then another screen pops up asking you to put in the authentication code you received to your cell phone or the time of use code from your authenticator app. You type that in and it gets sent immediately to the perpetrators computer where the authentication process is successful and they now have access to your account.

Step 3: You are provided an error page of some sort that there is an issue and you are none the wiser that you just gave someone else in the world access to your account. This can even redirect to an official Microsoft error page so that the URL is legit.

In addition a VPN proxy can be setup so that the perpetrators computer looks to be in the same area you are really located. Using geo-location based on your IP and then fake their IP to be in a similar area. So the log files will show that the authentication came from where you are or at least close. Thus causing an even bigger issue with tracking down what happened. How frustrating when your admin says it came from your location!


If you use an authenticator app that does not use a code but rather ask you to approve the login but you are asked for a code, that should be a tip off that there is something wrong.

Ultimately the better fix would be to start the authentication process from a known secure deceive such as your phone. The authenticator app could log you in on a computer by having you go to the Microsoft site and then scanning a QR code. That code then interacts with the authenticator app and authenticates you securely. This would not be able to pass through a proxy as the authentication is not actually taking place on your computer. If the QR code was on a illegitimate site it fail to work with the authenticator app itself.