Session Cookie Hijacking

Understanding and Preventing Microsoft MFA Bypass Attacks

The prevalence of cyber threats faced by organisations continues to rise, with hackers employing increasingly sophisticated yet simple to obtain methods to compromise sensitive information. Recently, there has been a surge in one such method whereby malicious actors are bypassing Microsoft Multi-Factor Authentication (MFA) through session cookie hijacking.

This technique allows attackers to obtain the tokens required for MFA and thereby access the user’s data at their will, without the users or organisation being aware notified as the hacker is ‘authenticating’ their access and thereby bypassing the security measures currently in place.

The Rise of Session Cookie Hijacking

Session cookie hijacking is emerging as a favoured tactic among cyber criminals seeking to exploit vulnerabilities in MFA systems. By intercepting session cookies, attackers can gain unauthorised access to user accounts and with the session cookies can input the required codes required by MFA to authenticate access. This method effectively bypasses MFA defences, allowing hackers to infiltrate cloud services and other network resources with alarming ease and at will.

The Threat of EvilGinx2 and Similar Tools

Compounding the problem is the proliferation of tools like EvilGinx2, readily available on platforms like GitHub. EvilGinx2 operates as a reverse proxy, intercepting user credentials and session tokens in transit. This tool, along with others of its kind, poses a formidable threat to organisations and their robust MFA security, enabling attackers to steal session tokens and bypass MFA protections entirely. What’s more, these attacks are often invisible to users and difficult to detect until it’s too late.

Protecting Against MFA Bypass Attacks

While the rising threat of MFA bypass attacks is concerning, there are proactive steps organisations can take to mitigate their risk:

  • Strengthen Authentication Protocols: Implementing additional layers of authentication beyond MFA, such as biometric authentication or hardware-based security keys, can significantly enhance security.
  • Educate Users: Conduct regular awareness training to educate users about the risks of MFA bypass attacks, phishing attempts, and other cybersecurity threats. Empower users to recognize suspicious activity and report it promptly.
  • Enhance Monitoring and Detection Capabilities: Invest in advanced monitoring and detection solutions capable of identifying anomalous behaviour indicative of MFA bypass attempts. Early detection can mitigate the impact of these attacks and prevent further compromise.
  • Leverage Third-Party Tools: Consider leveraging third-party security solutions, such as Azure Active Directory Premium P1 (AADP1), to augment existing MFA defences and thwart invisible proxy attacks. In this instance, AADP1 recognises the attackers IP address rather then the original and blocks access.
  • Device enrolment into Intune: This works by recognising corporate enrolled devices. As the malicious attackers’ machine will not have been enrolled into InTune, access will be denied following a compliance check.

Final Thoughts

While Microsoft MFA serves as a critical line of defence against unauthorised access, it is not immune to exploitation. The rise of session cookie hijacking and tools like EvilGinx2 underscores the need for organisations to remain vigilant and proactive in defending against emerging threats.

By implementing robust security measures, educating users, and leveraging advanced technologies, organisations can bolster their defences against MFA bypass attacks and safeguard their sensitive data in an increasingly hostile digital age.

Want to know more?

Speak to Colva today about:

  • Microsoft InTune Device Enrolment
  • Cyber Security Training and Education customised per user
  • Cyber Essentials Certification
  • Managed IT Support
Matt Treviss