Welcome to Episode One of The Cyber Compass, our monthly insight series, featuring articles expertly written by our Technical Director, William Poole. In this months edition, Will explores how threat actors bypass MFA using tools like Evilginx and Modlishka. Read on to discover recommended strategies to defend against phishing and token theft.
Is multi-factor authentication still the silver bullet organisations think it is?
Over the past few years, multi-factor authentication (MFA) has been heralded as a near-foolproof mechanism for securing user accounts. Indeed, traditional single-password protection often fails against well-resourced threat actors, and MFA—whether through one-time passcodes (OTPs), text messages, or hardware tokens—provides an extra layer of defence. However, as CYFOR Secure managed incidents throughout 2024, we witnesses a troubling trend: malicious groups are becoming increasingly adept at circumventing even the most robust MFA implementations. The result is a growing consensus that MFA, while still critical, is far from a set-and-forget security silver bullet.
Evolving MFA Bypass Techniques with Evilginx and Modlishka
Threat actors have discovered that they can subvert MFA controls protecting cloud platforms and social accounts (365, Instagram and LinkedIn accounts in particular) by focusing their attacks not only on credentials but also on the tokens and session cookies that validate a user’s authenticated session. Tools like Evilginx and Modlishka, free to download and experiment with, have now become common in real-world attack chains.
These reverse proxies act as sophisticated “man-in-the-middle” platforms: when a victim logs in through what appears to be a legitimate portal, the attacker’s system silently relays credentials and MFA tokens to the real service. The victim sees what looks like a normal login flow, but behind the scenes, the threat actor captures the MFA details or session tokens in real-time.
Once in possession of these session tokens or valid MFA codes, the threat actor can seamlessly impersonate the user without needing to prompt for additional authentication. This approach essentially robs MFA of its purpose: no matter how strong the OTP, if the actor is in the middle of the communication, they can grab everything they need. The proliferation of these tools—and the increasing technical sophistication of their operators—demonstrates that the arms race between defenders and attackers continues unabated.
Phishing isn’t an email-only issue
Targeting social media accounts through phishing attacks, though not entirely new, is poised to become a notable trend in 2025. While companies and their employees are increasingly vigilant against phishing attempts on platforms like Microsoft 365—thanks in part to robust training and awareness programs—they are often less suspicious of emails that appear to come from Instagram, LinkedIn, or TikTok. As threat actors continue to rely on phishing as a primary entry method, and social media platforms remain critical yet frequently overlooked business assets, we are witnessing a rise in ransom-driven account takeovers. Attackers compromise these profiles and then demand payment to restore access, putting not only the organisation’s content but also its audience engagement at risk. This disturbing tactic is set to gain further traction in the coming year.
New Year, New Techniques
In 2024, the new normal for successful phishing campaigns wasn’t just a single malicious email. Attackers understand that organisations are more wary and have better controls, so they are adopting a longer, more patient game. They might initiate contact posing as a potential customer, vendor, or partner—anything that would seem plausible. Over several email exchanges, they develop trust and credibility. Only once the rapport is established do they introduce a malicious link or request that leads unsuspecting users into a controlled phishing environment.
CYFOR witnessed multiple such attacks during the latter stages of 2024, predominantly targeting conveyancing firms. Threat actors sent emails that did not initially contain any malicious links, simply requesting quotes or advice from the target. Once numerous emails had been exchanged and it came time to exchange documents, only then would the threat actor send malicious links, or PDF files which redirected the target to domains where credentials were compromised. These targeted incidents increase the success rate of phishing attacks, at the expense of the scale we normally associate with phishing – where unpersonalised, poorly formatted emails are sent to many recipients. In one particularly convincing attack, the threat actor’s malicious link did not immediately send the target to a malicious 365 login portal, but rather to a webpage created to briefly show what appeared to be legitimate mortgage documents, before then redirecting to request authentication, further convincing the target of its legitimacy at a time where there defences were already lowered by multiple rounds of email correspondence.
Furthermore, these attacks increasingly make use of malicious “Enterprise Applications” following initial access to a compromised mailbox. Threat actors create these applications within an organisation’s cloud environment—often Microsoft 365 (M365)—and assign offline access permissions or permissions to read email contents. Once installed, these rogue apps can persistently access mailboxes, download large quantities of sensitive data at scale, or maintain persistent footholds that survive even after individual credentials are reset for the compromised account. This adds a new layer of complexity to incident response: no longer is it sufficient to just block a compromised account. You must also locate and remove these hidden enterprise apps, as they often provide a backdoor into critical systems and data.
If MFA alone isn’t enough, what is?
The good news is that organisations can still raise the bar significantly by combining MFA with other access policies. For example, in an M365 environment, conditional access rules can require that logins originate from allowed IP ranges or compliant devices. Implementing IP allow listing or geoblocking can make it significantly harder for threat actors to launch remote attacks. Additionally, enforcing device-based conditional access—allowing logins only from managed and secured endpoints—prevents attackers from pivoting easily into your environment. Token protection[1] is another increasingly recommended step by security professionals.
Outside of 365, organisations should also layer their defenses for any remote access solutions (e.g., VPNs or remote access software such as TeamViewer) they use. By only granting access to devices that meet certain patch levels, originate from certain IP addresses, or have specific compliance tags, you ensure that even a captured MFA token won’t necessarily open the floodgates. In other words, MFA must be one element of a multi-layered defense strategy, not the only hurdle.
MFA Bypass as a Stepping Stone to Ransomware
Phishing attacks that bypass MFA are not the end goal themselves; often, they are the precursor to more destructive activities like ransomware deployment. For instance, once attackers compromise an account, they may add their own device or app as an authorised MFA method. Armed with legitimate credentials and a valid MFA device, they can access your VPN and any downstream resources authenticated via M365. This opens the door to exfiltrating critical data, deploying ransomware at will, and demanding massive payouts to restore operations. We’ve seen firsthand that the chain reaction often starts with a well-orchestrated phishing email followed by a stealthy MFA bypass—just one small piece in a larger campaign of infiltration and extortion.
An important note for business owners and security teams: businesses shouldn’t place the responsibility of security accounts purely on their users. If an employee mistakenly clicks a link or has their account compromised, secondary layers of defense should in place to detect the issue and prevent access to malicious parties. If a phishing link leads to a fully-fledged ransomware attack, many things have gone wrong over and above an employee not recognising a malicious email.
Conclusion: Continuous Vigilance in an Evolving Threat Landscape
2024 clearly illustrated the vulnerability of “silver bullet” security controls. MFA, while essential, is no longer (if it ever was) a guaranteed safeguard against skilled adversaries who evolve their tactics as defenses improve. Tools like Evilginx and Modlishka are readily available; and threat actors have learned to play the long game in phishing campaigns, establishing trust before striking. They have also found new ways to remain persistent through malicious enterprise apps and clever conditional access workarounds.
The lesson here is clear: organisations must continuously adapt and refine their security posture. MFA should remain a core component, but it needs to be paired with conditional access, strict privilege management, continuous monitoring for suspicious enterprise applications, and layered network restrictions. The days of implementing MFA and calling it “done” are over. Security must remain a dynamic, evolving strategy—one that anticipates and counters the relentless innovation of modern threat actors.