Meddler-in-the-Middle phishing attacks break MFA

Security researchers have discovered “meddler-in-the-middle” (MitM) phishing attacks that can break multi-factor authentication (MFA) controls.

Historically, actors behind traditional phishing campaigns would setup fake websites designed to mimic legitimate sites and used to trick victims into entering their credentials. However, users could implement 2FA, also known as multifactor authentication (MFA), to help safeguard against these types of attacks used to steal credentials.

As reported by Palo Alto Networks Unit 42 researchers, MitM is a new type of phishing attack designed to bypass 2FA and content-based controls.

“MitM phishing attacks are a state-of-the-art type of phishing attack capable of breaking two-factor authentication (2FA) while avoiding many content-based phishing detection engines. Rather than showing a spoofed version of a target login page, a MitM attack uses a reverse-proxy server to relay the original login page directly to the user’s browser,” Palo Alto Networks wrote in a blog post.

Moreover, attackers use MitM phishing kits that include scripts and graphical user interfaces (GUIs) used to help more efficiently launch MitM attacks.

MitM campaigns

Palo Alto Networks highlighted several recent campaigns that involve MitM phishing attacks.

In July 2022, Microsoft reported actors used Evilginx2 to steal Microsoft credentials from victims via a phishing campaign. Evilginx2 is a MitM phishing kit that contains an easy-to-use command-line interface, built-in cloaking features, and generates unique tokens (or lures) that must be in the URL to reveal the phishing content.

In September 2022, security teams discovered a separate MitM phishing campaign used to steal victims’ GitHub credentials. For instance, attackers setup several domains to mimic CircleCI login pages and subsequently prompting victims to log in with their GitHub credentials and one-time password (OTP).

“From there, attackers would persist in their access by quickly creating personal access tokens (PATs) or adding their own SSH keys to the victim’s account. That way, attackers would continue to have access to the compromised account even if the victim were to change their username and password,” Palo Alto Networks added.

Similarly, in November 2022, Dropbox had also been targeted in a MitM phishing attack that resulted in the compromise of 130 private repositories.

Readers may also recall last month when Microsoft security experts Microsoft Detection and Response Team (DART) had spotted an increase in attackers using token theft in the cloud to compromise corporate systems while bypassing MFA and other authentication controls. As part of these token thefts, actors used both AitM phishing and “pass-the-cookie” methods in their attacks.

In recent weeks, Palo Alto Networks has detected more MitM phishing URLs via their Advanced URL Filtering service. These malicious URLs include fake Microsoft 365 login pages.


To help safeguard users against MitM attacks, organizations can also start using more advanced MFA methods, such as hardware security keys or WebAuthn 2FA. Additionally, Palo Alto Networks URL filtering services can also be deployed to help detect in-line phishing URLs.

This is in addition to traditional phishing safeguards such as checking for valid URLs and using password managers.

Related Articles