Executive Summary
- Multi-Factor Authentication (MFA) has long been the gold standard for cybersecurity protection and authentication for small businesses, but recently we’ve seen a big rise in “MFA phishing”.
- MFA phishing is a cyberattack method in which hackers trick unsuspecting users into handing over both their password and their multi-factor authentication codes.
- MFA phishing is a big risk, but that risk can be mitigated. Adopting phish-resistant MFA (like FIDO2 security keys), restricting logins to compliant devices, and training staff to spot subtle red flags like suspicious URLs can all be a big help.
Introduction
Picture this: an employee receives an email from their manager asking them to review a shared document.
The email looks genuine enough, so they click through and see a familiar login page as usual. So far so good. They go ahead and enter their password and follow it up with a Multi-Factor Authentication code sent to their mobile phone, as usual.
All pretty run of the mill. Except this page isn’t real.
This is a proxy page controlled by hackers, and within seconds, they’ve gained full access to this user’s account – and the employee has absolutely no idea.
What is MFA phishing?
MFA phishing, or “adversary-in-the-middle” attacks, target the famously secure measure designed to stop hackers: Multi-Factor Authentication.
Unlike traditional phishing, which steals passwords, MFA phishing focuses on stealing “session tokens”. These tokens, generated after successful MFA validation via something like a text message code, let attackers impersonate users without needing their actual password.
When you log in to a service like Microsoft 365, the system creates a ‘token’ to confirm your identity. During the phishing attack, hackers intercept this token using fake login pages that mirror legitimate sites. Even if you change your password later, the stolen token still grants continuous access.
Methods like SMS codes or push notifications rely on users approving requests. But if a user unknowingly enters their MFA code on a phishing page, attackers capture both the password and the token. This flaw has turned MFA – once a gold standard – into a potential weak link for unprepared organisations.
The rise of MFA phishing
Over the past year or so, MFA phishing has only become more prevalent.
At Get Support, we’re seeing criminals use so-called “phishing-as-a-service” (PaaS) platforms like EvilProxy or Tycoon 2FA to automate this type of credential theft, making the bypass of MFA measures alarmingly straightforward.
For businesses, this means that relying solely on SMS codes or authenticator apps is no longer enough. For years, enabling MFA on your organisation’s accounts has been the single most effective way to prevent cyberattacks and breaches. But today? That’s not so true.
But don’t worry – there are ways to mitigate these risks.
How do MFA phishing attacks happen?
Before we talk mitigation, let’s do a bit of ‘know your enemy’ with a walkthrough of a typical attack chain, step by step:
Step 1: Compromising a trusted account
The first move for an attacker is to breach a legitimate email account. Very often, this will be done via a previous phishing attack, potentially of a less secure target. For example, hackers might target a supplier’s employee, then use that compromised account to send malicious emails to their trusted contacts.
Step 2: Crafting the bait
The victim receives an email that appears routine: a file-sharing notification, invoice, or DocuSign link. Pretty standard stuff. To avoid suspicion, attackers will often host the initial link on a legitimate platform like OneDrive. But clicking it redirects the user to a phishing site after a harmless preview.
Step 3: Filtering out bots
Before the phishing page loads, victims face a Cloudflare security check. This step ensures that only humans proceed, blocking automated scanners that might flag the site as malicious.
Step 4: Mirroring the login page
The phishing page replicates a Microsoft or Google login portal – complete with branding, logos, and language. The only red flag? A slightly altered URL (e.g., microsoft-365.net instead of microsoft365.com). Users unwittingly enter their credentials and the MFA code, which attackers forward to the real site to generate a valid token.
Step 5: Token theft and account takeover
With the token in hand, attackers can now log in as the victim. They’ll often enrol their own MFA method (like a new authenticator app) to maintain access, even if the victim resets their password.
Step 6: Post-attack exploitation
The real damage begins here. Attackers might snoop silently in inboxes for weeks, gathering intel on financial processes or high-value targets. They may tamper with invoices by redirecting payments through edited bank details. Secondary phishing campaigns are also common, using the compromised account to target colleagues or clients.
In short, it’s dangerous stuff.
How can you protect your business against MFA phishing?
It sounds understandably concerning, but it’s worth remembering that MFA phishing thrives on outdated security practices.
That means, with the right measures in place, you can build a robust defence:
1. Prioritise phish-resistant MFA
All of those more traditional MFA methods, like codes via text message, are now low-hanging fruit for hackers. Instead of leaning on these, instead opt for solutions that can’t be intercepted, such as FIDO2 security keys. These physical tokens (like YubiKeys) use public-key cryptography. When inserted, they will authenticate only with legitimate websites, meaning phishing sites fail this check.
2. Enforce device-based conditional access
Restrict your team’s logins to enrolled, compliant devices using policies available via Microsoft Entra ID. For example, you can block access from unmanaged devices and require Microsoft Intune compliance to be sure that devices meet security benchmarks like encryption and OS updates. This approach requires Microsoft 365 Business Premium or higher, plus Microsoft Intune for mobile device management.
3. Invest in continuous staff training
As always with cyber security, humans remain the weakest link – but they can also become your first line of defence. Platforms like Phished.io offer AI-driven phishing simulations and ‘microlearning’ modules to teach staff to spot typos, mismatched URLs, and suspicious requests. At £26 per user annually, it’s a cost-effective way to reduce click rates by up to 70%.
4. Monitor for anomalies
To ensure you stay on track, it’s a good idea to deploy tools that flag unusual activity, such as logins from unfamiliar locations or new MFA enrolments. Email forwarding rules set by attackers to hide their tracks should also trigger alerts with your IT team.
5. Prepare for the worst
Nobody wants to think about it, but the best approach is actually to assume that breaches will happen. That means having an incident response plan that includes immediate token revocation, rollback procedures to restore email rules, and forensic analysis to determine exactly how the breach occurred.
Concerned about MFA phishing? Here are the next steps
Sadly, MFA phishing isn’t a hypothetical threat. It’s already happening on a daily basis to businesses of all sizes.
While no solution is 100% foolproof, combining phish-resistant MFA with vigilant training and strict device policies will slam the door on most attackers.
Still using SMS-based MFA? The upfront cost of upgrading to FIDO2 keys or device-based authentication pales in comparison to the £3.6 million average cost of a UK data breach. So that’s a great place to start.
Want to be sure your organisation isn’t at risk? Speak to your Get Support Customer Success Manager about a phishing risk assessment today or call our team directly on 01865 594000.