Add Modern MFA Attack Patterns and Mitigations Section#2244
Add Modern MFA Attack Patterns and Mitigations Section#2244sujalavnelavai wants to merge 15 commits into
Conversation
This update adds a new subsection covering modern MFA bypass techniques, including: - Real-Time Phishing (AiTM) - SIM Swap & Phone Number Takeover - Token Theft & Session Hijacking - Device Binding Bypass - MFA Downgrade Attacks (OAuth/SSO) Each attack pattern includes concise mitigations and authoritative references from NIST, CISA, Microsoft, Google, FIDO Alliance, Trusted Computing Group, and Apple. The section aligns with current industry guidance on phishing-resistant MFA, device attestation, and assurance-level enforcement. No existing content was modified outside this new subsection.
Added updated references
| **Mitigations:** | ||
|
|
||
| - Enforce **Number Matching** / Challenge-Response to break the "Approve" loop. | ||
| - CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.[CISA]( https://www.cisa.gov). |
There was a problem hiding this comment.
Explain this? (I don't understand it as it stands).
Also include the link in the first "CISA" instance?
There was a problem hiding this comment.
Thanks for the review. I’ve clarified the mitigation text. Also, regarding the CISA reference — CISA does not actually describe or recommend "Number Matching." That feature is specific to Microsoft Authenticator. I’ve updated the wording so it no longer implies a CISA connection and added a clearer explanation of the mitigation itself.
|
|
||
| - Enforce **Number Matching** / Challenge-Response to break the "Approve" loop. | ||
| - CISA – Phishing Guidance: Stopping the Attack Cycle at Phase One.[CISA]( https://www.cisa.gov). | ||
| - Strictly rate-limit and lock out MFA prompts after repeated unapproved attempts ([OWASP ASVS v4.0](https://owasp.org/www-project-application-security-verification-standard/)). |
There was a problem hiding this comment.
Link TO ASVS5.0 ? :) Also deep link to ASVS specific requirement.
|
|
||
| ### Real-Time Phishing (Adversary-in-the-Middle / AiTM) | ||
|
|
||
| Attackers use reverse-proxy tools (e.g., Evilginx) to intercept credentials and standard MFA tokens (SMS, TOTP) in real-time. |
There was a problem hiding this comment.
Maybe some more explanations are needed. It looks like you talk about MITM the connection with the target website but I believe you actually want to automate impersonation about the target web site?
There was a problem hiding this comment.
Thanks for the feedback. I’ve clarified the description. The intent is to describe AiTM phishing kits that proxy the user’s session to the real site and capture the authenticated session cookies, enabling automated impersonation. I’ll update the text to make that distinction clearer.
| **Mitigations:** | ||
|
|
||
| - Mandate **Phishing-Resistant MFA** (FIDO2 / WebAuthn) which cryptographically binds the authentication to the origin URL ([CISA Phishing Guidance](https://www.cisa.gov/sites/default/files/2025-03/Phishing%20Guidance%20-%20Stopping%20the%20Attack%20Cycle%20at%20Phase%20One%20508.pdf)). | ||
| - Implement risk-based authentication to block known VPN/proxy IP spaces and impossible travel ([CISA. Zero Trust Maturity Model, Identity Pillar](https://www.cisa.gov/zero-trust-maturity-model). |
There was a problem hiding this comment.
Does this actually help in this case?
There was a problem hiding this comment.
Good point. Phishing‑resistant MFA directly mitigates AiTM because the authentication is origin‑bound. Risk‑based authentication doesn’t stop AiTM itself, but it can detect suspicious access patterns after the attacker attempts to reuse the stolen session. I’ll adjust the wording to reflect that distinction.
| - **Deprecate Telephony MFA** for high-privilege accounts ([NIST SP 800-63-4](https://pages.nist.gov/800-63-4/sp800-63.html)). | ||
| - Default to TOTP authenticator apps or FIDO2 hardware keys. | ||
|
|
||
| ### Token Theft & Session Hijacking |
There was a problem hiding this comment.
"Impossible travel" detection would be useful in this case?
There was a problem hiding this comment.
Yes- impossible travel is useful here, but only as a detection mechanism after a stolen token is replayed from a different location. I’ll clarify that it’s a post‑compromise signal rather than a preventative control.
| **Mitigations:** | ||
|
|
||
| - Implement **Continuous Access Evaluation (CAE)** with short-lived tokens ([Microsoft CAE Documentation](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation)). | ||
| - Enforce strict cookie flags (`HttpOnly`, `Secure`, `SameSite=Strict`) and bind sessions to device hardware. |
There was a problem hiding this comment.
I would split this bullet point in two.
There was a problem hiding this comment.
Agreed - these are separate mitigations. I’ll split them into two bullets.
| **Mitigations:** | ||
|
|
||
| - Store device identity keys strictly in non-exportable hardware modules (TPM or Secure Enclave). | ||
| - Require OS-level platform attestation (e.g., Android Play Integrity, iOS DeviceCheck) before granting access. |
There was a problem hiding this comment.
I really don't believe this is really useful for security. On the other hands, this is real PITA for actual users, harmful for interoperability.
There was a problem hiding this comment.
And it blocks actual legitimate users who don't want to use Google or Apple OS from using the MFA solution. This is therefore actually harmful for security, an issue for society in general and a problem for sovereignty (which is ultimately a problem for security).
There was a problem hiding this comment.
Understood - that’s a fair point. Platform attestation is highly vendor‑specific and can introduce interoperability and accessibility issues. I’ll remove this mitigation to keep the guidance vendor‑neutral and broadly applicable.
Updated references under the section "MFA Fatigue Attacks"
Added detailed explanations and updated references for some sections in Modern MFA attack patterns
Corrected markdown lint error.
2 participants
This update adds a new subsection covering modern MFA bypass techniques, including:
Each attack pattern includes concise mitigations and authoritative references from NIST, CISA, Microsoft, Google, FIDO Alliance, Trusted Computing Group, and Apple.
The section aligns with current industry guidance on phishing-resistant MFA, device attestation, and assurance-level enforcement.
I have independently verified every citation and technical claim against the cited source.
You're A Rockstar
Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.
Please make sure that for your contribution:
[TEXT](URL)Scope and sourcing (required)
[text](URL).If your PR is related to an issue, please finish your PR text with the following line:
This PR fixes issue #2229 `.
AI Tool Usage Disclosure (required for all PRs)
Please select exactly one of the following options. PRs that leave this section blank will be closed.
I have NOT used any AI tool to generate the contents of this PR.
This update adds a new subsection covering modern MFA bypass techniques, including:
Real-Time Phishing (AiTM)
SIM Swap & Phone Number Takeover
Token Theft & Session Hijacking
Device Binding Bypass
MFA Downgrade Attacks (OAuth/SSO)
Each attack pattern includes concise mitigations and authoritative references from NIST, CISA, Microsoft, Google, FIDO Alliance, Trusted Computing Group, and Apple.
The section aligns with current industry guidance on phishing-resistant MFA, device attestation, and assurance-level enforcement.
I have independently verified every citation and technical claim against the cited source.
the contents and I affirm the results. The LLM used is "Microsoft Copilot (2026)"
and the prompt used is "Assist me in reviewing the Multifactor Authentication
Cheat Sheet, drafting updated text for modern MFA attack patterns, and helping
me format citations and references clearly." I have independently verified every
citation and technical claim against the cited source.
[Feel free to add more details if needed]
Thank you again for your contribution 😃