How MFA Bypass Kits Work

The technical sophistication of phishing-as-a-service kits has reached a level that poses a direct threat to The technical sophistication of phishing-as-a-service kits has reached a level that directly threatens organizations that are still relying on weak multi-factor authentication (MFA) methods. Now, cybercriminals have never had it easier. For a mere $200, they can purchase a two-week subscription to a kit capable of bypassing MFA.

This latest kit isn’t just a testament to the increasing commodification of cybercrime—it’s a sobering reminder that phishable factors like phone, email, and SMS codes are the new weak link in many organizations’ authentication strategies. Adding to the threat, attackers are increasingly exploiting trusted services like Cloudflare’s domains to host phishing pages, using pre-built templates, domain spoofing, and HTTPS certificates to create highly convincing fake login portals.

Organizations relying on SSO and assuming MFA provides an impenetrable layer of security may find themselves caught off guard. Let’s break down how this attack works, the risks it poses, and how Savvy Security ensures comprehensive protection against these threats.

Here’s an in-depth look at the technical process behind phishing kits capable of MFA Bypass:

1. Phishing Campaign Initialization
   Modern phishing kits include fully automated tools to create phishing campaigns, lowering the entry barrier for attackers. These kits offer:
   • Pre-Built Templates: Mimic legitimate login portals, complete with company logos, styles, and even security banners to avoid suspicions.
   • Domain Spoofing: Attackers use techniques like homoglyph attacks (e.g., using “rnicrosoft.com” instead of “microsoft.com”) to create deceptive URLs.
   • HTTPS Certificates: Many kits generate legitimate-looking SSL certificates to make the phishing site appear secure.

The goal is to ensure the phishing page looks indistinguishable from the legitimate login portal.

2. Credential Harvesting

When a victim enters their credentials on the phishing page, the kit intercepts this information and uses it to launch real-time attacks. Here’s what happens next:

• Credential Relay: The kit acts as a proxy, immediately sending the credentials to the legitimate server while simultaneously displaying the expected MFA prompt to the user.
• Session Token Interception: By maintaining a proxy connection, the attacker intercepts the session token or cookies returned by the server upon successful authentication.
• Real-Time Validation: Some kits integrate with APIs or scripts that instantly verify the validity of credentials and tokens before proceeding with the attack.

3. MFA Bypass Execution

With credentials and tokens in hand, the attacker bypasses MFA mechanisms by leveraging the stolen session tokens, effectively sidestepping the need to re-authenticate. Key techniques include:

• Session Hijacking: Attackers inject the stolen session token into their browsers, bypassing the victim’s MFA without triggering alerts on the legitimate server.
• Token Reuse Across SSO: In SSO environments, a single valid session token can grant access to multiple interconnected SaaS applications. This exponentially increases the attack’s impact.
• Privileged Escalation Scans: Some kits include automation to scan the victim’s account for administrative privileges, allowing attackers to escalate their access across the organization.

4. Persistent Access and Exploitation

The final phase of the attack involves establishing persistent access and extracting valuable data. Kits often include post-exploitation tools for:

• Backdoor Installation: Attackers plant additional malicious scripts or create rogue admin accounts to ensure long-term access.
• Data Exfiltration: High-value targets such as customer data, proprietary technology, and financial records are extracted using automated scripts.
• Lateral Movement: By leveraging SSO access, attackers pivot to other systems, spreading the attack across the organization.

The Attacker’s Toolbox: Features of the Latest Kits

These kits often come with advanced features, making them a significant threat to organizations:

• Real-Time MFA Interception: Captures time-sensitive OTPs or SMS-based MFA codes through man-in-the-middle (MitM) techniques.
• Multi-Session Handling: Simultaneously executes attacks on multiple victims using pre-configured workflows.
• Advanced Evasion Techniques: Bypasses common detection mechanisms, including anti-phishing filters and browser-based warnings.
• Targeted Phishing Campaigns: Kits allow attackers to customize campaigns to focus on high-value accounts like administrators or executives.

Why Traditional MFA Defenses Fall Short

Despite the widespread adoption of multi-factor authentication (MFA), its effectiveness depends significantly on whether the MFA implementation is strong or weak. Phishable factors—like email, phone, or SMS codes—are increasingly exploited in MFA bypass attacks.

Organizations that rely on these weaker methods often have a false sense of security, leaving critical gaps for attackers to exploit.

Weak MFA vs. Strong MFA

1. Phishable MFA (Weak):
   • Methods such as Phone, Email, and SMS-based codes are susceptible to interception.
   • Attackers can use phishing kits to trick users into entering OTPs or approving fraudulent push notifications in real-time.
2. Phishing-Resistant MFA (Strong):
   • Stronger MFA methods, like FIDO2/WebAuthn or hardware security keys, are designed to resist phishing attempts by relying on cryptographic key pairs.
   • These methods bind authentication to the user’s device and the legitimate application URLs, rendering phishing attacks ineffective.

Organizations relying on phishable MFA often assume their defenses are impenetrable, but the reality is that these methods leave open a critical attack vector.

Exploitation Scenarios

Here’s how attackers take advantage of weak MFA implementations:

1. Intercepting Weak MFA Tokens:
   • Phishing kits intercept MFA tokens in real-time during the login process. 
   • Stolen tokens are used immediately to gain unauthorized access without triggering suspicion.
2. Credential Harvesting and Reuse:
   • Passwords harvested through phishing are often tested across other corporate systems that lack MFA protections.
   • Credential reuse exposes organizations to further risks, especially if weak MFA is the only line of defense for sensitive applications.
3. Session Hijacking:
   • Even when MFA is in place, attackers who steal session cookies during authentication can bypass MFA entirely, gaining access as if they had successfully authenticated.

How Savvy Strengthens MFA and Mitigates Bypass Risks

Savvy enables organizations to classify and upgrade MFA usage across their SaaS environments, reducing exposure to weak MFA risks and guiding users toward phishing-resistant methods.

Classification of MFA Use 

Browser-Level Detection: Savvy’s browser plugin detects where MFA is being used for managed applications, whether through SSO or direct logins and surfaces credential risks associated with user logins that lack MFA. It also classifies MFA configurations as strong or weak based on the authentication method used, providing organizations with granular visibility into the security of their MFA implementations.

Insights at the IdP Level: Depending on the identity provider (IdP) in use (e.g., Microsoft Entra, Okta), Savvy can provide even deeper insights, such as a breakdown of MFA method adoption. For instance:

• Identification of strong MFA methods like authenticator apps that employ FIDO2/WebAuthn or hardware security keys.
• Detection of weak MFA methods like phone, email, and SMS codes.
• Analysis of accounts lacking MFA controls to highlight opportunities for strengthening authentication policies.

This enhanced classification capability helps organizations pinpoint exactly where they rely on weak, phishable factors and take action to address those vulnerabilities.

Visibility and Risk Prioritization:

• Savvy continuously monitors authentication behaviors, highlighting where weak MFA is still in use and identifying high-risk accounts that require immediate attention.
• The platform assigns risk scores based on MFA configuration and credential hygiene, enabling targeted remediation.

Automated Remediation:

• Using customizable playbooks, Savvy enforces MFA and mitigates risks associated with phishable factors.
• Playbooks also trigger workflows to reset compromised credentials and enforce stricter authentication policies across SaaS applications.

Closing the Gaps in Identity Security

MFA bypass attacks highlight a hard truth: phishable factors are not enough. The rise of PaaS kits only amplifies this reality. Organizations need to adopt phishing-resistant MFA and comprehensive identity-first solutions like Savvy to stay ahead of evolving threats.

Don’t let a $200 phishing kit compromise your organization. Ensure coverage and use of strong forms of MFA across the org.