Full Report
In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.
Analysis Summary
# Tool/Technique: MFA Exploitation & Cascaded Phishing
## Overview
In 2025, threat actors shifted focus toward exploiting Multi-Factor Authentication (MFA) workflows and leveraging "Identity Trust." This involves bypassing or subverting MFA via spray attacks and unauthorized device registration, as well as using compromised internal accounts to launch "cascaded" phishing campaigns against trusted third parties and partners.
## Technical Details
- **Type**: Technique / Attack Framework
- **Platform**: Cloud Identity Providers (IdP), IAM Platforms (Okta, Azure AD/Entra ID), Microsoft 365, SaaS environments.
- **Capabilities**: MFA bypass, unauthorized device enrollment, internal email spoofing, SSO token theft.
- **First Seen**: Increased prevalence documented throughout 2025.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link (Workflow-style lures)
- T1078 - Valid Accounts
- **TA0006 - Credential Access**
- T1110.003 - Brute Force: Password Spraying (MFA Spraying)
- T1556.006 - Modify Authentication Process: Multi-Factor Authentication
- **TA0003 - Persistence**
- T1098.005 - Account Manipulation: Device Registration
- **TA0005 - Defense Evasion**
- T1564 - Hide Artifacts (Abusing Microsoft 365 Direct Send)
## Functionality
### Core Capabilities
- **Microsoft 365 Direct Send Abuse**: Exploiting the method used by networked devices (printers/scanners) to send internal emails that bypass standard external security filters and appear to originate from the same domain.
- **MFA Spraying**: Automated attempts to exhaust or bypass MFA prompts in environments with predictable identity behaviors or weak lockout policies.
- **Cascaded Phishing**: Using a compromised trusted account to send specialized lures to partners and third-party vendors, capitalizing on the established business relationship.
### Advanced Features
- **Malicious Device Registration**: Using voice phishing (vishing) to trick IT administrators into registering an attacker-controlled device under a valid user profile, bypassing future MFA requirements.
- **Identity & Access Management (IAM) Targeting**: Compromising IAM applications to gain the ability to modify user roles, permissions, and global MFA policies.
## Indicators of Compromise
- **File Names**: N/A (Focus is on identity and cloud-native exploitation).
- **Network Indicators**:
- Unrecognized IP addresses accessing SSO/IAM portals.
- Phishing domains mimicking internal travel or expense reporting tools (e.g., `internal-travel-check[.]com`).
- **Behavioral Indicators**:
- High volume of "Direct Send" email traffic from unusual internal sources.
- Emails with subject lines containing keywords: *request, invoice, fwd, report, tampering, domain, configuration, token*.
- Sudden spike in new device enrollments for high-privilege users.
- Multiple failed MFA prompts followed by a successful login from a new geolocation.
## Associated Threat Actors
- While specific groups were not named in the brief, the techniques are consistent with sophisticated **Business Email Compromise (BEC)** groups and **Initial Access Brokers (IABs)**.
## Detection Methods
- **Behavioral Detection**: Monitoring for "MFA Fatigue" patterns or impossible travel alerts.
- **Email Security**: Implementing "Reject Direct Send" controls and monitoring internal-to-internal email headers for spoofing.
- **Log Analysis**: Identifying unauthorized changes to MFA policies or administrative role assignments within IAM platforms.
## Mitigation Strategies
- **Prevention Measures**:
- Enforce **Phishing-Resistant MFA** (FIDO2/WebAuthn).
- Enable Microsoft’s "Reject Direct Send" control to prevent internal spoofing.
- Strict enforcement of SPF, DKIM, and DMARC.
- **Hardening Recommendations**:
- Implement strict lockout policies for failed MFA attempts.
- Require administrative "out-of-band" verification for all new device registrations.
- Conditional Access policies that restrict logins to managed/known-compliant devices.
## Related Tools/Techniques
- **Adversary-in-the-Middle (AiTM)**: Used to steal SSO tokens in real-time.
- **Vishing (Voice Phishing)**: Often used in conjunction with device compromise to manipulate help desk staff.
- **LOLBins**: Used for post-exploitation once internal access is gained via phishing.