TLCTC Blog - 2025/05/04
Understanding MFA Bypass Attacks Through the TLCTC Framework
The Evolution of Authentication Attacks
As Multi-Factor Authentication (MFA) has become a standard security control across organizations, threat actors have evolved their tactics to bypass these additional layers of security. Today, we'll examine how the Top Level Cyber Threat Clusters (TLCTC) framework provides valuable insight into understanding different MFA bypass techniques and their attack paths.
Classic vs. Real-Time MFA Bypass Techniques
MFA bypass attacks generally fall into two primary categories, each with distinct attack paths:
1. Classic Asynchronous Credential Phishing (#9 → #4)
This traditional approach begins with Social Engineering (#9) where an attacker creates a fraudulent website mimicking a legitimate service. The victim is tricked into visiting this site and entering their credentials, which are then harvested for later use. The attack directly exploits the generic vulnerability of "weak identity management processes and credential protection mechanisms" that defines Identity Theft (#4).
In this scenario, there's no real-time connection to the legitimate service during the initial credential theft. The attacker must later use these credentials independently, potentially facing MFA challenges they cannot overcome without additional attack techniques.
2. Real-Time "Man-in-the-Middle" Phishing (#9 → #5 → #4 → #5 → #4)
This more sophisticated approach, as illustrated in recent technical reports, involves an attacker positioning themselves between the victim and the legitimate service using reverse proxy technologies. The attack sequence is:
- Social Engineering (#9): The victim is tricked into visiting a convincing phishing site controlled by the attacker.
- Man in the Middle (#5): The attacker's reverse proxy relays all communication between the victim and the legitimate site, exploiting "the lack of sufficient control over the communication channel/path."
- Identity Theft (#4): The victim's credentials are captured as they pass through the attacker's proxy.
- Man in the Middle (#5): When the legitimate site sends an MFA challenge, it passes through the attacker's proxy to the victim.
- Identity Theft (#4): After the victim completes the MFA challenge, the attacker captures the resulting authentication cookies, allowing them persistent access to the account.
This attack is particularly dangerous because it bypasses MFA by intercepting the entire authentication flow in real-time, rather than trying to defeat the MFA mechanism itself.
MFA Fatigue: Another Attack Path
A third notable MFA bypass technique is MFA Bombing or MFA Fatigue, which follows a different attack path: #4 → #1 → #9 → #4
- Identity Theft (#4): The attacker starts with previously obtained username and password credentials.
- Abuse of Functions (#1): The attacker repeatedly triggers MFA push notifications, exploiting "the scope of software functions" by misusing a legitimate feature in an unintended way.
- Social Engineering (#9): The barrage of notifications exploits "human psychological factors" like fatigue, annoyance, or confusion, manipulating the victim into approving one of the authentication requests.
- Identity Theft (#4): With the approved MFA challenge, the attacker completes the identity theft process.
Applying the Bow-Tie Risk Model
Using the TLCTC's bow-tie risk model, we can identify that these attack paths typically lead to the central "Loss of Control" event, specifically compromised user accounts. This can then result in various data risk events:
- Loss of Confidentiality: Unauthorized access to sensitive information in the compromised account
- Loss of Integrity: Manipulation of data within the compromised account
- Loss of Availability: Potential lockout of legitimate users if attackers change recovery information
| Attack Type | TLCTC Sequence | Key Vulnerabilities Exploited |
|---|---|---|
| Classic Credential Phishing | #9 → #4 | Human trust, weak identity management |
| Real-Time MitM Phishing | #9 → #5 → #4 → #5 → #4 | Human trust, insecure communication channels, session token handling |
| MFA Fatigue/Bombing | #4 → #1 → #9 → #4 | Feature abuse, human psychological factors, notification fatigue |
Strategic vs. Operational Controls
The TLCTC framework's two-tiered approach helps organizations develop appropriate security controls:
Strategic Level Controls:
At this level, organizations should focus on broad protections against the identified threat clusters:
- Security awareness training to prevent Social Engineering (#9)
- Strong identity and access management to mitigate Identity Theft (#4)
- Communication security to prevent Man in the Middle (#5)
- Feature scope limitations to prevent Abuse of Functions (#1)
Operational Level Controls:
These more specific controls target the particular sub-threats:
- FIDO2/WebAuthn implementations that resist proxy-based MitM attacks
- Phishing-resistant MFA methods (hardware security keys)
- Contextual and risk-based authentication
- Rate limiting for authentication attempts to prevent MFA bombing
- Number matching for MFA approvals rather than simple "Approve/Deny" options
Conclusion
The TLCTC framework provides a powerful lens for understanding the various attack paths used to bypass MFA. By recognizing that different MFA bypass techniques exploit different generic vulnerabilities and follow distinct attack sequences, security teams can implement more targeted and effective countermeasures.
Organizations should evaluate their authentication systems against all three attack paths described above, ensuring they have appropriate controls at both strategic and operational levels to protect against these sophisticated threats. Remember that the strength of your MFA implementation isn't just in the technology itself, but in understanding and mitigating the entire attack sequence that could compromise it.