Multi-factor authentication (MFA) is no longer the strong line of defense it used to be. Although MFA has long been considered one of the most effective methods of preventing phishing attacks, researchers at Cisco Talos have found that cybercriminals have developed methods to bypass this security layer.
The shift in attack tactics, therefore, requires a review of existing security strategies within organizations. The researchers have identified a clear increase in so-called adversary-in-the-middle attacks. In these attacks, attackers no longer use traditional phishing pages but instead deploy reverse proxy servers. These establish a direct connection to a service’s real login page.
At first glance, the user does not notice anything unusual. They log in as usual and confirm the MFA verification. However, what the user does not see is that the communication is going through the attacker’s server. This allows cybercriminals to intercept not only login details but also the associated session cookie, giving them full access to the active session without the user’s intervention.
More Phishing-as-a-Service platforms
A second development observed by Cisco Talos is the growing availability of so-called Phishing-as-a-Service platforms. These ready-made toolkits, such as Evilproxy and Tycoon 2FA, enable attackers to launch sophisticated attacks without in-depth technical knowledge. They include templates for popular services, filters for IP addresses and user agents, and techniques to circumvent detection by security software. As a result, more and more cybercriminals can carry out professional and large-scale phishing campaigns.
In addition, the analysis shows that traditional security measures, such as spam filters and cyber awareness training, are proving less and less effective in stopping these new forms of attack. Even combinations of passwords and push notifications, a widely used MFA variant, can be abused with the right infrastructure. In some cases, after a successful breach, attackers even add additional MFA devices to the account, which often goes unnoticed and further undermines control.
Passwordless authentication
According to Cisco Talos, it is therefore crucial that organizations prepare for these evolving threats. Technologies that can withstand advanced phishing tactics can significantly reduce the likelihood of successful attacks. One example is WebAuthn, a standardized, passwordless form of authentication based on public cryptography. This method works with cryptographic keys linked to a website’s domain. This makes it virtually impossible to replicate login processes via fake domains or intermediate servers.
However, the analysis shows that the use of WebAuthn is still limited. Cisco Talos, therefore, recommends that organizations no longer view MFA as a static measure, but as part of a broader, continuously adaptable security approach. This includes not only more robust authentication methods, but also broader measures such as network monitoring, AI-supported threat detection, and a Zero Trust architecture.