MFA Isn’t Enough: The Rise of Proxy-Enabled Phishing Attacks

Posted on: 22 Apr 2025

Multi-Factor Authentication (MFA) has become a standard security practice, but a concerning trend is emerging: sophisticated phishing attacks that bypass MFA entirely. It’s no longer enough to simply require a one-time passcode; attackers are leveraging proxy servers to intercept credentials and gain unauthorized access.

How It Works: The Adversary-in-the-Middle Attack

The core of this threat lies in what’s known as an “adversary-in-the-middle” attack. Attackers utilize readily available “phishing-as-a-service” toolkits – names like Tycoon 2FA and Evilproxy – to create convincing login pages and proxy servers. Here’s the breakdown:

1. The Deceptive Link: The attacker sends a message claiming the victim’s account has been compromised, urging them to log in immediately. This message contains a link that appears to lead to the legitimate login page (e.g. https://login.microsoftonline.com). However, the link actually directs to the attacker’s proxy server.

2. The Mimicry: The attacker’s proxy server is designed to look identical to the legitimate login page. The user enters their username and password, believing they are authenticating with the real site.

3. Credential Interception: The proxy server then forwards the credentials to the real site (e.g., Google).

4. MFA Request & Loop: Google, expecting an MFA request, sends a request to the proxy server. The proxy server then relays this request back to the victim, who enters their MFA code. This creates a continuous loop, allowing the attacker to obtain the victim’s credentials.

Why MFA is Vulnerable

The key vulnerability is the nature of MFA codes themselves – they are simply numbers and characters, easily copied and entered into the target site. Furthermore, the ease of use of these phishing toolkits means even non-technical users can successfully deploy this attack.

WebAuthn: A Stronger Defense

Fortunately, there’s a robust defense against this type of attack: WebAuthn. Unlike traditional MFA, WebAuthn is cryptographically bound to the URL it’s intended to authenticate. This means a credential generated for https://login.microsoftonline.com will only work on that URL. If a victim attempts to use the credential on a malicious URL (e.g., https://login.microsoftonline.com.evilproxy[.]com), the login will fail. Additionally, WebAuthn requires authentication to happen on or in proximity to the victim’s device, preventing the adversary from intercepting the authentication process.

Key Takeaways:

• MFA is not a silver bullet. Proxy-enabled phishing attacks are increasingly effective.
• WebAuthn offers a significantly stronger defense against this threat.
• Organizations should prioritize the adoption of WebAuthn-based MFA.

Resources:

• blog.talosintelligence.com