• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security, News

Microsoft Warns of Increasing Use of MFA Bypass Tools in Phishing Attacks

Threat actors are stepping up their use of Adversary-in-the-Middle attacks that bypass multi-factor authentication tools, Microsoft says.

March 14, 2023 Zachary Comeau Leave a Comment

MFA bypass, AiTM
A malicious link shared in a phishing message for an AiTM campaign. Courtesy/Microsoft

Microsoft is warning organizations of an uptick in Adversary-in-the-Middle (AiTM) phishing kits that are capable of bypassing multi-factor authentication (MFA) through reverse-proxy functionality, rendering the security tool that many organizations now deploy useless.

In a new blog, the Microsoft Threat Intelligence Team dives into a threat actor it calls DEV-1101, a group that develops, supports and advertises several AiTM phishing kits that other threat actors can leverage in their attacks.

This specific AiTM phishing kit is an open-source kit that automates setting up and launching phishing activity, and the DEV-1101 group provides support services to attackers. Other cybercriminal groups have had access to the phishing kit since last year, and DEV-1101 has since made several improvements, including the ability to manage campaigns from a mobile device and evasion features like CAPTCHA pages.

Microsoft has since observed several high-volume phishing campaign from various actors using the AiTM kit from DEB-1101, and millions of phishing emails using the kit have been sent each day since the group began advertising the kit in spring 2022.

According to Microsoft, one of the more common phishing attacks leveraging the kit appears typical of phishing activity, with the email masquerading as a Microsoft document. The example given is from DEV-0928, one of the more prominent threat actors leveraging the phishing kit.

Microsoft security researchers say two different evasions might result from clicking the link in the phishing message. The DEV-1101 kit’s antibot functionality might trigger an href redirection to a benign page.

“The default redirection domain defined in the source code is example.com; however, any actor using the kit may define a different redirection domain,” researchers say.

The AiTM kit also allows threat actors to use CAPTCHA to evade detection. Inserting a CAPTCHA page into the phishing sequence could make it more difficult for automated systems to reach the final phishing page, while a human could easily click through to the next page, Microsoft researchers say.

After the evasion pages, the phishing landing page is presented to the target from an actor-controlled host through the phishing actor’s reverse proxy setup.

From there, the threat actor’s server will capture credentials entered by the user. If MFA is enabled, the AiTM kit continues to function as a proxy between the user and the user’s sign-in service, which allows the server to capture the resulting cookie session as the user completes an MFA sign-in. This allows an attacker to bypass MFA with the session cookie and the user’s stolen credentials.

While MFA can stop a wide variety of credential-based attacks, attackers are always finding new ways around security controls, including new MFA bypass techniques. According to Microsoft, MFA is the reason threat actors are pivoting to AiTM session cookie theft.

Microsoft advises organizations to set security defaults to improve identity security posture and evaluate sign-in requests using additional identity-drive signals such as group membership, IP location information and device status.

Other policies such as compliant devices or trusted IP address requirements can help protect users from attacks that leverage stolen credentials, researchers say. Organizations are also advised to invest in anti-phishing solutions that scan incoming emails and visited websites.

Microsoft also listed several capabilities of Microsoft 365 Defender that are designed to help protect from AiTM attacks. Read the blog for more information.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Cybersecurity, Microsoft, phishing

Related Content:

  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…
  • Engaging virtual meeting with diverse participants discussing creative ideas in a bright office space during daylight hours Diversified Survey: Workplace AV Tech is Falling Short,…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.