WhiteMail
ブログに戻る
·WhiteMail Security Team#trends#mfa#aitm

Trend — getting around MFA: MFA fatigue, AiTM, and session-token theft

Multi-factor authentication (MFA) closed off a huge problem: a stolen password alone stopped being enough to log in. Predictably, attackers shifted. The trend now is a set of techniques aimed not at the password but at the second factor — or at skipping it entirely.

The techniques, plainly

  • MFA fatigue (push bombing) — the attacker already has the password and triggers a flood of approval prompts to the victim's phone, betting that one will get tapped out of annoyance, confusion, or habit. The factor "worked"; the human was worn down.
  • AiTM (adversary-in-the-middle) — the victim is lured to a proxy page that sits between them and the real login. They enter the password and complete MFA for real, but the proxy captures the resulting session token in transit. The attacker replays the token and is logged in — MFA and all.
  • Session-token / cookie theft — the same idea via a different route: malware or a malicious page steals an authenticated session cookie, and the attacker reuses it. The login already happened; they just borrow the result.

The common thread: none of these break the cryptography of MFA. They go around it — by exploiting the human approving, or by stealing the proof of a legitimate login after the fact.

Why email is usually the first step

Almost all of this starts with a message. AiTM needs the victim to click a link to the proxy page. MFA fatigue needs the password, which usually came from an earlier phish. The email is the doorway; the MFA bypass is what happens once someone walks through it.

What you can do

  • Prefer phishing-resistant MFA (passkeys / FIDO2 hardware-bound factors) where you can — these are designed to resist AiTM in a way that one-time codes and push approvals are not.
  • Train for the specific reflex: an approval prompt you did not initiate is a report, not a tap. Never approve to make the prompts stop.
  • Shorten and monitor sessions for sensitive systems, so a stolen token has a smaller window to be useful.
  • And catch the doorway: the lure that delivers the AiTM link or harvests the password is an email problem first. Reading that message's intent before the click is the cheapest place to stop the whole chain.

Think a link leads to a credential-capture page? Drop the email into the Analyze console and let SA-03 follow where it really goes.