A new technical analysis from Cisco Talos reveals that two-factor authentication (MFA) systems, once considered the gold standard of security, are under systematic assault using 'man-in-the-middle' tactics and notification fatigue.
By: MSB
For years, expert advice was simple: "activate MFA and you are safe." However, the latest report from Cisco Talos describes an alarming paradigm shift. Attackers no longer attempt to guess passwords; they are now designing infrastructures to intercept security tokens in real time and trick users into opening the door.
AiTM Technique: The Distorting MirrorThe report highlights the rise of Adversary-in-the-Middle (AiTM) attacks. Unlike traditional phishing, which seeks a password, in AiTM the attacker deploys a proxy server between the user and the real service (such as Microsoft 365).
When the user enters their credentials and their MFA code on the fake page, the attacker immediately relays them to the legitimate site. The result is the theft of the session token. With this token, the criminal can enter the account directly without needing to request the password or the second factor again, bypassing the protection entirely.
"MFA Fatigue": Exhaustion as a WeaponAnother gaining traction tactic is MFA Bombing or notification fatigue. Taking advantage of the fact that many companies use push notifications on mobile, attackers launch hundreds of access requests in a row.
The goal is to frustrate the user or catch them off guard so that, by mistake or simple exhaustion to silence the phone, they press "Approve." Once access is granted, the attacker usually registers a new device of their own on the victim's account to ensure persistence.
Infrastructure Blind SpotsTalos identifies three critical weaknesses that cybercrime groups are successfully exploiting:
Legacy Protocols: The use of old protocols (such as POP3 or IMAP) that do not support MFA and allow attackers to access mailboxes via brute-force attacks.
Lack of Context: MFA notifications that only say "Approve/Deny" without showing the geographical location or the application requesting access.
Incomplete Configurations: Companies that secure email but forget to enable MFA on VPNs or cloud administration tools.
Cisco Talos warns that not all MFAs are equal. To combat these threats, organizations must evolve toward more robust methods:
Implementing FIDO2 and physical keys: Using hardware security keys (such as YubiKeys) is, as of today, the only method resistant to AiTM-type attacks.
Number Matching: Forcing the user to enter a number on their mobile that appears on the login screen, eliminating the possibility of approving a notification by mistake.
Conditional Access Policies: Restricting logins based on the user's location, device health, and if the IP address is known.