Phishing Despite Active MFA

Cyber threats are becoming increasingly sophisticated with lateral movement being undetected for quite a while in corporate environments. Attackers regularly bypass traditional protection measures such as multi-factor authentication (MFA). Despite the widespread use of two-factor authentication (2FA), organizations still fall victim to phishing attacks, credential hijacking, and more advanced techniques that put sensitive data at risk. Below, we'll explore the latest phishing tactics, including browser-in-the-browser attacks, Evilginx, and device code phishing, and how organizations can strengthen their defenses against these evolving threats.

The evolution of phishing attacks

Cybercriminals constantly refine their methods to bypass MFA protections, putting organizations at risk. To make matters worse, MFA, often considered the gold standard for digital account protection, is becoming increasingly vulnerable to sophisticated attacks. According to a Bitkom study from 2024, 25% of companies suffered losses due to phishing, highlighting the ongoing danger.

While awareness training has long been the first line of defense, attackers adapt their tactics to outsmart it. New phishing methods are much more subtle, making traditional authentication and training measures increasingly less effective.

Emerging phishing techniques

• Evilginx is an advanced open-source tool that intercepts credentials and session tokens even when MFA is enabled. By interposing between the user and the legitimate server, attackers can intercept usernames, passwords, and access tokens and pose as authenticated users.
• Browser-in-the-browser attacks: Attackers create fake pop-up windows in the victim's browser that simulate an authentic login page - often mimicking platforms such as Microsoft 365 or PayPal - to steal login credentials.
• Device code phishing: This type exploits authentication codes to log in to devices without a keyboard (such as smart TVs). The attackers trick their victims into entering a code on a legitimate website, granting them access without a username or password.

This method bypasses traditional email security filters and sandboxing because no malicious file is initially attached. Once executed, the script downloads a stealthy malware loader, which uses living-off-the-land (LotL) techniques to establish persistence while remaining undetected by EDR and SIEM solutions.

MFA bypass via phishing and URL encoding obfuscation:

A phishing email tricks the user into clicking a seemingly legitimate but obfuscated URL, encoded using base64 or hex encoding to evade detection by security tools. The victim is redirected to a perfect replica of their corporate login page (browser-in-the-browser attack), where they unknowingly enter their credentials. Meanwhile, an adversary-in-the-middle (AiTM) proxy captures their session token and bypasses MFA, granting the attacker direct access to internal systems. Since the attack leverages legitimate user credentials and an encrypted session, XDR and SIEM solutions struggle to differentiate it from normal behavior, allowing the attacker to move undetected within the network.

How lateral movement begins after a successful phishing & obfuscation attack

Once attackers gain a foothold via HTML smuggling or MFA bypass, they initiate lateral movement using stealthy and trusted techniques. Suppose access was achieved through an adversary-in-the-middle (AiTM) phishing attack. In that case, they can hijack valid user sessions or steal credentials, then escalate privileges using pass-the-cookie or token replay—all without triggering alarms. When entry occurs through a compromised endpoint, attackers often deploy tools like Mimikatz to extract further credentials and gain broader access. Leveraging Single Sign-On (SSO) and federated authentication, they move across cloud services, VPNs, and internal apps without reauthentication, using built-in tools like PowerShell, WMI, or PsExec to evade EDR/XDR detection. Tools like BloodHound allow them to map and target privileged accounts, domain controllers, or sensitive systems. For persistence and data theft, attackers use legitimate cloud services (e.g., OneDrive or Slack) for C2 communication, hide data in encrypted or steganographic formats, and create backdoor accounts or remote access trojans to ensure ongoing access—all while mimicking normal user behavior to remain undetected.

What security measures are now needed?

Traditional security measures such as one-time passwords (OTPs), push notifications, and basic two-factor authentication (2FA) are no longer sufficient in today's threat landscape. Once considered robust, these mechanisms are now routinely bypassed by modern phishing attacks. Techniques like man-in-the-middle (MitM) and credential-stuffing allow attackers to intercept or reuse legitimate credentials, gaining unauthorized access even when 2FA is enabled.

The weaknesses of conventional detection systems like EDR, XDR, and SIEM is their focus on malware execution. EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) are highly effective at identifying known malware signatures or abnormal process behavior. However, many modern phishing attacks exploit trusted user sessions or use built-in system tools—a technique known as living-off-the-land (LotL)—which EDR and XDR are not designed to flag. At the same time, SIEM solutions often rely on predefined rules and known attack patterns, making them ineffective against novel, slow-burning threats that mimic normal user behavior. Adding to the challenge is the issue of alert fatigue. Many alerts generated by SIEMs or XDRs are too vague or too frequent, leading to ignoring low-priority warnings. This allows attackers to operate under the radar, particularly when their behavior—such as unusual logins or minor privilege escalations—doesn’t immediately appear malicious.

At the technical level, businesses need to adopt a layered security strategy. While EDR, XDR, SIEM, and SOAR remain essential, they must be complemented by real-time analytics, User and Entity Behavior Analytics (UEBA), and network-level visibility: a proactive, adaptive, and behavior-driven approach to security is the only way to stay ahead.

How the movement starts

The lateral movement begins once attackers gain initial access through phishing techniques like HTML smuggling or MFA bypass. With stolen credentials or valid session tokens from an adversary-in-the-middle (AiTM) attack, they can impersonate users and bypass authentication barriers. Attackers often use pass-the-cookie or token replay methods to escalate their privileges quietly. When access is gained via malware, tools like Mimikatz are deployed to harvest further credentials from the compromised system. From there, they move laterally across the environment using SSO and federated authentication, which allows seamless transitions between services without additional logins. Utilizing living-off-the-land binaries (LOLBins) like PowerShell or WMI, they execute commands that are hard to distinguish from legitimate admin activity. Tools like BloodHound help them identify privileged users and pivot toward high-value targets like domain controllers or sensitive databases. Meanwhile, they establish command-and-control (C2) communication through trusted cloud platforms and exfiltrate data using encryption or steganography. To ensure persistent access, attackers often create backdoor accounts or deploy RATs under the guise of legitimate users. Traditional EDR, XDR, and SIEM solutions usually miss these movements, as they rely on malware detection and signature-based rules, making them ineffective against trusted session abuse and stealthy admin behavior.

To strengthen detection, UEBA monitors patterns like improbable login locations, rapid privilege escalations, and suspicious activity, highlighting threats that blend in with legitimate use. Microsegmentation and Zero Trust policies add another layer of defense by restricting movement between systems and reducing the attacker’s options. Traditional EDR and SIEM solutions may miss these stealthy activities, but NDR provides visibility across the network, including east-west traffic. These tools create a behavior-based detection strategy that addresses threats beyond malware signatures. Integrating real-time monitoring, adaptive access control, and behavioral analytics makes organizations better equipped to respond to incidents. The key is to move from reactive defenses to proactive, intelligence-driven protection that stops lateral movement before critical systems are reached.

What we do for you

Exeon helps organizations detect phishing threats early through real-time network monitoring and attack detection. Even if attackers bypass Multi-Factor Authentication (MFA), Exeon identifies Man-in-the-Middle (MitM) attacks and abnormal access behavior. Its AI-driven anomaly detection recognizes patterns like credential theft and phishing-related lateral movement, stopping attackers from spreading across the network. Exeon also monitors for access token abuse and unauthorized device logins, blocking the use of stolen credentials.

With User Entity Behavior Analytics (UEBA), Exeon tracks logins, privilege changes, and access requests to identify real-time account takeovers. It flags compromised accounts by analyzing login timing, location, or device usage anomalies. Exeon’s NDR capabilities detect suspicious internal (east-west) traffic, unexpected admin tool activity, and command-and-control (C2) communications. This enables organizations to intercept lateral movement before critical systems are compromised. It also detects compromised user sessions, including attempts to steal data, exploit the cloud, or launch internal phishing attacks. With this proactive and intelligent approach, Exeon empowers companies to avoid phishing threats and maintain complete network visibility.

Conclusion: Strengthen your protection against evolving phishing attacks now!

Phishing attacks have evolved far beyond fake emails and easily spotted scams, now targeting users with techniques that can bypass even advanced defenses like MFA. As attackers exploit session hijacking, HTML smuggling, and browser-in-the-browser deception, traditional tools like EDR, XDR, and SIEM increasingly fall short—mainly when attackers use trusted credentials and legitimate system tools. These modern attacks move quickly from initial compromise to lateral movement, using stealthy techniques that blend in with expected user behavior and evade detection. Organizations can no longer rely solely on static defenses or user awareness training; instead, they need a dynamic, multi-layered security strategy.

Network Detection & Response (NDR) and User Behavior Analytics (UEBA) play a critical role in identifying unusual patterns, lateral movement, and command-and-control traffic early. Proactive measures such as Zero Trust policies, real-time monitoring, and micro-segmentation significantly reduce the attacker’s room to maneuver. Exeon provides a robust solution by delivering network-wide visibility, AI-driven threat detection, and real-time alerting—even when MFA fails. By detecting anomalies in login behavior, token use, and internal traffic, Exeon helps security teams act before attackers reach sensitive systems.

Ultimately, staying ahead of phishing threats requires a shift from reactive to proactive defense—one that understands attacker behavior, monitors the entire network, and adapts in real-time. Don't be caught off guard by phishing attacks—secure your network with Exeon today!