Why traditional MFA is failing against modern phishing attacks?

How adversary-in-the-middle attacks are undermining traditional MFA protections

MFA is designed to secure user accounts. AI generated image

A growing ecosystem of cybercriminal tools is making it easier than ever to bypass some of the most widely used forms of multifactor authentication (MFA). These phishing kits are not only effective—they’re accessible to even non-technical users, enabling them to launch sophisticated attacks that defeat common defenses against account takeovers.

MFA is designed to secure user accounts by requiring a second form of verification beyond a password. This second factor often comes in the form of a one-time passcode sent by text, email, or generated by an authentication app. Other methods include biometrics or the use of physical keys. In theory, even if an attacker captures a user’s credentials through phishing, they shouldn’t be able to access the account without this second factor. But in practice, attackers have adapted^[1].

Phishing-as-a-service toolkits lower the barrier

As reported by Cisco Talos, an entire underground industry has formed around defeating these MFA methods. The attack technique at the center of this trend is known as adversary-in-the-middle (AiTM). In this approach, phishing-as-a-service (PhaaS) platforms provide ready-to-use toolkits with names like Tycoon 2FA, Evilproxy, Rockstar 2FA, Mamba 2FA, and Greatness. These toolkits are actively advertised on cybercrime forums and allow even unskilled operators to carry out complex phishing operations.

The core of the attack involves a proxy server between the target and the legitimate site. Once set up using the provided code and templates, attackers can create phishing pages that convincingly imitate the real login portals of popular services such as Google, Microsoft, and others.

The process typically begins with a fraudulent message, often claiming an account has been compromised, that urges the victim to log in via a supplied link. This link might look like a legitimate domain at first glance (e.g., https://accounts.google.com.evilproxy[.]com), but a closer inspection reveals its true nature. Victims, alarmed by the urgency of the message, often fail to notice the slight deviation in the URL.

When the victim follows the link, they land on the attacker's proxy page, which faithfully mirrors the actual login page. Upon entering their username and password, the credentials are passed to the legitimate website in real time. The legitimate site then triggers an MFA challenge, which is relayed back through the proxy to the victim. The user, believing everything is legitimate, submits their MFA code or approves a push notification. The proxy then forwards this response to the real website, completing the login process, which is now under the attacker's control.

Why legacy MFA falls short and what works

The fundamental issue lies in the fact that these standard MFA methods are phishable^[2]. Whether it’s a time-based code or a push notification, both can be relayed through the proxy and entered by the attacker. This makes such forms of MFA vulnerable to AiTM attacks, regardless of how much they improve security in general use.

These types of attacks are not theoretical. In 2022, a single attacker group using adversary-in-the-middle techniques compromised over 10,000 user credentials across 137 organizations. Even authentication provider Twilio was impacted. One notable exception was Cloudflare, which avoided compromise due to its implementation of WebAuthn, a more secure MFA standard.

WebAuthn resists adversary-in-the-middle attacks due to two critical properties:

1. Origin Binding: WebAuthn credentials are cryptographically tied to the specific URL for which they were created. That means a credential registered for https://accounts.google.com simply won’t work at https://accounts.google.com.evilproxy[.]com.

2. Device Binding: Authentication must occur on—or in close proximity to—the user’s registered device. Because of this, an attacker operating a remote proxy server cannot use the credentials even if they intercept the login attempt.

These attributes make WebAuthn-based solutions—such as passkeys stored on phones, computers, or security keys like YubiKeys—highly resistant, if not immune, to AiTM attacks. U2F, WebAuthn’s predecessor, shares similar protections, though WebAuthn brings added usability and flexibility.

Phishing continues to be one of the most persistent and dangerous threats to digital security. While MFA using one-time passwords or push notifications adds a layer of protection, it’s increasingly clear that these methods are insufficient in the face of modern adversary-in-the-middle attacks. The availability of PhaaS kits means attackers don’t need advanced skills to compromise MFA-protected accounts.

Fortunately, adoption of WebAuthn is growing. Thousands of websites already support it, and the setup process is typically straightforward for users. As phishing kits grow more sophisticated and accessible, the cybersecurity community is increasingly aligned on one point: hardware-backed, phishing-resistant authentication like WebAuthn is no longer optional, it’s essential.