Full Report
Stolen credentials turn authentication systems into the attack surface. Token shows how wearable biometric authentication verifies the user—not the session—blocking phishing relays and MFA bypass. [...]
Analysis Summary
# Tool/Technique: Adversary-in-the-Middle (AiTM) Phishing Relays
## Overview
Adversary-in-the-Middle (AiTM) phishing relays are sophisticated techniques used to bypass Multi-Factor Authentication (MFA) by acting as a transparent proxy between a victim and a legitimate service. Unlike traditional phishing that merely steals credentials, this technique intercepts and replays MFA challenges and session tokens in real-time.
## Technical Details
- **Type**: Technique / Attack Framework
- **Platform**: Multi-platform (Web-based services, SaaS, IAM providers like Okta, Microsoft 365)
- **Capabilities**: Credential harvesting, MFA prompt relaying, session cookie theft (token hijacking), and automated bypass of legacy MFA (SMS, TOTP, Push).
- **First Seen**: Though conceptually old, widespread automated toolkits began proliferating significantly around 2021-2022.
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- **[T1557 - Adversary-in-the-Middle]**
- **[T1111 - Two-Factor Authentication Evasion]**
- **[TA0001 - Initial Access]**
- **[T1566.002 - Phishing: Spearphishing Link]**
- **[TA0004 - Privilege Escalation]**
- **[T1550.004 - Use Alternate Authentication Material: Web Session Cookie]**
## Functionality
### Core Capabilities
- **Reverse Proxying**: The attacker hosts a server that mirrors the legitimate login page and forwards traffic to the actual identity provider.
- **Real-time Relay**: Captures and transmits credentials and MFA codes/responses between the user and the target server instantaneously.
- **Session Hijacking**: Once the user completes the MFA check, the attacker captures the resulting session cookie, allowing them to impersonate the user without needing the password again.
### Advanced Features
- **Automation**: Toolkits can automatically handle thousands of records, scaling "hand-crafted" phishing to mass-market operations.
- **Evasion of Legacy MFA**: Effectively bypasses SMS OTP, TOTP (Authenticator apps), and simple Push notifications because these methods verify the *code* rather than the *physical presence* or *identity* of the user.
## Indicators of Compromise
- **File Hashes**: *N/A (Typically infrastructure-based, though specific kits like Evilginx2 or Muraena may have identifiable local binary signatures)*
- **File Names**: `evilginx`, `muraena`, `phishlet` configurations.
- **Registry Keys**: N/A
- **Network Indicators**:
- Lookalike domains (e.g., `login-microsoft-verify[.]com`)
- Transit through uncommon proxy services.
- Unexpected source IPs for authenticated session cookies.
- **Behavioral Indicators**:
- User logins originating from one IP while the session cookie is immediately used by another IP.
- Modification of MFA settings (adding a new device) immediately after a successful login.
## Associated Threat Actors
- **Scattered Spider** (UNC3944)
- **Lapsus$**
- Various Phishing-as-a-Service (PhaaS) providers.
## Detection Methods
- **Signature-based detection**: Detect known phishing kit signatures (e.g., Evilginx phishlets) on web proxies.
- **Behavioral detection**: Identify "Impossible Travel" (logins from geographically distant locations in a short timeframe) or session cookie reuse from disparate IP ranges.
- **Header Analysis**: Monitoring for `X-Forwarded-For` inconsistencies or anomalous User-Agent strings during the authentication flow.
## Mitigation Strategies
- **FIDO2/WebAuthn**: Implement hardware-based security keys (e.g., YubiKeys) or biometric-assured wearables that are "un-phishable" as they bind the authentication to the specific domain.
- **Managed Device Requirements**: Only allow logins from compliant, MDM-enrolled devices.
- **Conditional Access Policies**: Restrict logins based on geographic location, IP whitelisting, or risk-based signals.
- **Identity Assurance**: Transition from "session verification" to "user verification" using biometric-backed hardware.
## Related Tools/Techniques
- **Evilginx2 / Evilginx3**: Popular frameworks for AiTM phishing.
- **Muraena/Modlishka**: Early reverse proxy phishing tools.
- **Credential Stuffing**: Using leaked databases (e.g., RockYou2024) to find valid account pairs.
- **Social Engineering**: Calling help desks to reset MFA devices (bypassing the technical relay entirely).