Cybersecurity, Featured, Geen categorie, NIS2

Honey, Our Bank Account Is Empty — MFA Cheated on Us

Geschreven door Danny Zeegers
18 augustus 2025

The Wake-Up Call

It was just another Monday morning until the CFO shouted:
“Honey, our bank account is empty!”

The systems all looked green. Password policies ✔. Encryption ✔. Multi-Factor Authentication ✔.
Every compliance dashboard had the comforting checkbox: MFA enabled.

But in reality, attackers had already hijacked sessions and bypassed the second factor entirely. The so-called protection was nothing more than an illusion.

The Illusion of Safety

The CEO, reassured by suppliers selling “NIS2-level safety” tools, felt untouchable.
Hardware and software integrations were proudly presented at the last board meeting. The buzzwords were there: Zero Trust, AI, compliance-ready.

Yet, attackers don’t care about marketing slides. They exploit the weakest link:

MFA methods relying on SMS or push approvals.
Session cookies that can be replayed once stolen.
Users trained to click “Approve” under fatigue.

The illusion was complete — but safety was only skin deep.

Real life stories:
Bypassing multifactor authentication isn’t hard, if you’re willing to get a little evil.

Sophos researchers this week detailed how Evilginx, a malicious version of the widely used open source NGINX Web server, can be used in adversary-in-the-middle (AitM) attacks to steal credentials and authentication tokens. Perhaps more importantly, the hacking tool can beat MFA protection.
https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa

The timeline of a real-world MFA bypass case, and how we stopped it

A routine click, a familiar logo, a message about a blocked email. Nothing dangerous, or so it seemed. Thousands of kilometres away, an intruder was already clearing their path into someone’s account. No lock-picks, no alarms. Just a stolen session token and the keys to someone else’s corporate kingdom.
This wasn’t a breach. It was an infiltration, fast, invisible, and nearly perfect. …….. read more:
https://www.triskelelabs.com/blog/real-world-mfa-bypass-case-and-how-we-stopped-it

Summary

These articles confirm a distressing pattern:

MFA is not a silver bullet, especially when based on SMS, codes, or push prompts.
Adversary-in-the-middle (AiTM) tools like Evilginx remain highly effective at capturing credentials and bypassing MFA.
Live session theft (via session cookies) enables attackers to impersonate users even after MFA is passed.
Timely detection and response—such as monitoring anomalous logins and revoking sessions—is essential to containing such attacks.

The Anatomy of an MFA Bypass

Tools like Evilginx and Modlishka are adversary-in-the-middle frameworks.
They proxy login pages, steal credentials and session cookies, and render MFA useless.

Once an attacker has the cookie, they are the user.
No password. No OTP. No approval prompt. Just seamless access.
And in an SSO world, that single cookie often unlocks dozens of systems at once.

What NIS2 Actually Demands

NIS2 does not reward checkbox compliance.
It demands resilience:

Phishing-resistant MFA (FIDO2/WebAuthn, passkeys, smartcards).
Session integrity controls (token binding, short lifetimes, context checks).
Continuous testing against real-world threats, not only policy audits.
Supplier scrutiny — “NIS2-ready” labels mean little without evidence of hardening.

The point is clear: NIS2 is not about stacking tools. It’s about building trust through tested, hardened, verifiable security.

Hardening Checklist (Beyond the Checkbox)

Replace SMS/push MFA with FIDO2/WebAuthn hardware keys or passkeys.
Bind session cookies to device/browser context.
Monitor for anomalous session usage (impossible travel, new device, proxy IPs).
Run red-team style phishing simulations, including AiTM scenarios.
Challenge suppliers: Show us resilience, not just compliance.

Top 10 Measures to Avoid Credential Theft and Secure Payments

Use Phishing-Resistant MFA
Deploy FIDO2/WebAuthn (security keys, passkeys) instead of SMS or push-based MFA.
Enforce Strong Password Policies
Require unique, complex passwords stored in a secure password manager.
Implement Session Security
Bind cookies to device/browser context, enforce short lifetimes, and monitor for anomalies.
Continuous User Awareness Training
Regular phishing simulations and security awareness refreshers.
Restrict Access with Conditional Policies
Allow access only from trusted devices, networks, and geographies.
Monitor and Detect Suspicious Activity
Use SIEM/XDR to detect unusual login attempts, impossible travel, or session replay.
Harden Recovery Processes
Secure password reset and recovery flows with MFA and fraud checks.
Supplier and Tooling Validation
Require vendors to prove resilience, not just claim compliance.
Secure Payment Approval Flow
All payments above €500 must go through a 4-eye approval process.
Controlled Bank Wiring Process
All bank payment instructions must:

Originate from the ERP system.
Be linked to a checked and approved invoice.
Be executed only in dedicated, secured payment sessions.

Execute a internel audit using this structured breakdown:

Is Phishing-Resistant MFA deployed

Does the company uses FIDO2/WebAuthn (security keys, passkeys, Windows Hello, TouchID, etc.)
Unlike SMS/OTP/push-based MFA, FIDO2 cryptographically ties authentication to the origin domain. Evilginx/Modlishka cannot replay credentials or tokens because the signature will only validate for the real domain.
Smartcards / Certificate-based auth (where applicable) also mitigate proxy interception.
This is the single most effective measure.

Check Harden Session Management

Token Binding: Tie session cookies to device/browser cryptographic keys (supported in some IdPs). This prevents cookie replay on another device.
Short Session Lifetimes: Limit how long cookies remain valid. Force re-authentication for sensitive actions.
Step-Up Authentication: Require a fresh MFA challenge for high-risk operations (admin access, data exports, financial transactions).

Expert resources:
W3C Web Platform Dev Guide – Device Bound Session Credentials (DBSC)
This guide explains how DBSC works, with hardware-backed cryptographic protection to bind session cookies to the originating device.
https://developer.chrome.com/docs/web-platform/device-bound-session-credentials
FIDO Alliance White Paper – DBSC / DPoP as Complementary Technologies to FIDO
Explores how sender-constrained tokens—protected by cryptographic binding—complement phishing-resistant authentication methods like FIDO2.
https://fidoalliance.org/white-paper-dbsc-dpop-as-complementary-technologies-to-fido-authentication/

SuperTokens Blog – What Is Step‑Up Authentication?
Clearly explains the concept of step-up authentication and its value, especially in contexts like financial transactions or admin operations.
https://supertokens.com/blog/step-up-auth

Auditor ask a check if the company Detects and Blocks Proxy Phishing

Domain Monitoring: Use threat intel and DNS monitoring to detect lookalike/phishing domains impersonating your login portal.
Email Security Filters: Deploy advanced phishing protection (sandboxing, link rewriting, banner warnings).
Content Security Policy (CSP) + HSTS: Force HTTPS and protect against content injection on legitimate domains.

Proofpoint – Advanced Email Security Overview (PDF)
Explains how layered email analysis, click-time sandboxing, link rewriting, and transaction isolation can block advanced threats—including post-delivery link weaponization and credential theft.

https://www.proofpoint.com/sites/default/files/solution-briefs/pfpt-us-sb-advanced-email-security.pdf

Microsoft 365 – Sandboxing in Exchange Online Protection (EOP)
Describes how EOP (Advanced Threat Protection) automatically scans attachments and URLs in email using sandboxing to prevent malware and phishing.
https://learn.microsoft.com/en-us/answers/questions/1378799/what-all-are-the-features-of-sandboxing-in-exo-and

OWASP Cheat Sheet – HTTP Strict Transport Security (HSTS)
Defines HSTS, explains how it forces HTTPS-only connections, and prevents downgrade attacks and cookie hijacking.
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.htm

Valimail – Lookalike Domain Finder
A free tool to spot typosquatting, homoglyphs, and deceptive domains impersonating your brand—great for early detection and mitigation.
https://www.valimail.com/domain-lookalike-finder

Auditor ask evidences of Network and Behavioral Controls

Risk-Based Adaptive Authentication:
Detect anomalies like impossible travel, unusual device, or access from known proxy IPs. Trigger extra verification or block.
Conditional Access Policies (Azure AD, Okta, Google):
Restrict logins to managed devices, known IPs, or compliant browsers.
Reverse Proxy Detection: Some identity providers (like Microsoft Entra ID) now natively detect AiTM patterns (e.g., multiple user agents, odd TLS fingerprints).

Auditor inspect User Training and Awareness reports

Teach users to spot URL mismatches: Evilginx/Modlishka rely on phishing links.
Browser Security Indicators: Encourage users to check domain + certificate before login.
Red Team Simulations: Run phishing exercises with AiTM-style payloads so users recognize realistic attacks.

Auditor check if Architecture Hardening has TIER 3 level

Identity Provider Settings:
- Enforce WebAuthn/FIDO2 MFA.
- Enable continuous access evaluation (revoke tokens when risk changes).
- Block legacy/basic authentication (SMTP, IMAP, POP).
Browser Controls:
- Managed browsers with endpoint detection (stealing cookies from unmanaged browsers is easier).
- Disable password autofill in unmanaged browsers.
CSP + HSTS Security Header Testing
SecurityHeaders.com (by Scott Helme) – free tool to scan any website and grade its HTTP security headers (CSP, HSTS, X-Frame-Options, etc.).

https://securityheaders.com/

Browser Hardening – Reduce Cookie Theft & Injection Risks

Check Browser Security Settings
- Disable insecure features (e.g., deprecated TLS versions, weak ciphers).
- Enable HTTPS-Only Mode (Firefox/Chrome).
Run Qualys BrowserCheck (browsercheck.qualys.com)
→ Tests for missing patches, outdated plugins, weak configurations.
Test Cookie Flags with OWASP ZAP or Burp Suite
→ Verify cookies have Secure, HttpOnly, and SameSite attributes.
Enable Isolation Features
- Chrome: Site Isolation (chrome://flags/#enable-site-per-process).
- Edge/Firefox: enable tracking protection and disable 3rd-party cookies.
Deploy Enterprise Policies (if corporate-managed browsers)
→ Force updates, disable weak extensions, enforce password manager policies.

Session Lifetime Validation
→ Configure short cookie lifetimes; test by reusing a stolen cookie with Burp/ZAP.

Internal auditor concerns:
Evilginx and Modlishka succeed because they exploit weak MFA (OTP, push, SMS) and bearer tokens (cookies). The strongest countermeasures are FIDO2/WebAuthn authentication, binding cookies to devices, and risk-based adaptive controls that detect anomalies when a stolen cookie is replayed.

The Final Lesson

there are several categories of tools you can use to check your organization’s current security level, ranging from baseline assessments to continuous monitoring. Each type gives you a different angle of insight.

1. Framework-Based Security Assessment Tools

These tools map your maturity against standards like ISO 27001, NIS2, NIST CSF, SOC 2:

CIS Controls Assessment Tool (CIS-CAT Pro) – free tool from the Center for Internet Security, scans systems and compares against CIS Benchmarks.
NIST CSF/NIS2 Gap Analysis Tools – commercial SaaS like Tenable, Rapid7, Wiz or open-source questionnaires to measure governance, risk, and compliance posture.
Microsoft Secure Score / Google Workspace Security Score – built-in dashboards that benchmark your tenant configuration against best practices.

These give you a risk/compliance posture overview (what controls are missing, where policies are weak).

2. Identity & MFA Security Testing

Since your concern is Evilginx/Modlishka (AiTM phishing + session hijack):

PhishTesting Platforms: Tools like KnowBe4, Cofense, GoPhish let you run phishing simulations, including AiTM scenarios, to test resilience.
Conditional Access / MFA Strength Analyzers:
- Microsoft Entra ID “Authentication Methods Insights” shows how many users still rely on weak MFA (SMS/OTP) vs. strong MFA (FIDO2).
- Okta Security Reports give MFA adoption and suspicious sign-in stats.
Session Cookie Analysis Tools:
- Browser security extensions (Burp Suite, ZAP) can test if cookies are HttpOnly, Secure, bound to SameSite, etc.

These help measure whether your identity controls are strong enough against modern phishing and session hijacking.

3. Vulnerability & Configuration Scanners

OpenVAS / Greenbone, Nessus, Qualys – scan infrastructure for known vulnerabilities.
ScoutSuite (by NCC Group) – open-source multi-cloud security auditing tool (AWS, Azure, GCP).
Cloud Security Posture Management (CSPM) – Prisma Cloud, Wiz, or Microsoft Defender for Cloud — give you a compliance/security baseline for cloud.

These measure technical weaknesses in your infrastructure and misconfigurations.

4. Continuous Security Monitoring

SIEM/XDR Solutions (Splunk, Sentinel, Elastic, CrowdStrike Falcon) – monitor logs for suspicious activity like impossible travel, stolen session replay, brute force, etc.
Breach & Attack Simulation (BAS) tools – SafeBreach, Cymulate, AttackIQ. They simulate real-world attacks (phishing, lateral movement, cookie theft) to see if your defenses detect/block them.

These simulate real attacker behavior and check if your controls hold up.

5. Quick User-Level Tools

If you want simple checks today:

Have I Been Pwned – see if user emails are in breaches.
Qualys BrowserCheck – checks if browsers are missing patches/security settings.
SSL Labs Server Test – checks TLS/SSL security for web apps.

Step-Up Authentication is one of the most effective controls against MFA bypass, session hijacking, and insider abuse. On the company side, you can design, configure, and test it systematically. Here’s how:

6. ZERO TRUST in financial transactions

Define “High-Risk Actions” Clearly

You need to decide when a user should face a fresh MFA challenge. Typical triggers:

Financial transactions (e.g., bank transfers, payments above €500, payroll exports).
Privileged access (e.g., logging into the ERP as admin, accessing cloud management consoles, changing IAM policies).
Sensitive data access (e.g., HR records, customer PII, IP repositories).
Security settings (e.g., disabling MFA, creating new accounts, resetting passwords).

Practical step: Create a risk catalog with business units: what is “high-risk” in Finance ≠ what is “high-risk” in Engineering.

Configure Step-Up in the Identity Provider

Most enterprise IdPs support it natively:

Azure AD (Entra ID) → Conditional Access Policies: Require MFA for sensitive apps or when accessing from risky sessions.
Okta → Step-Up MFA via app sign-on policies (e.g., require WebAuthn key before entering admin portal).
Ping Identity / ForgeRock / Google Cloud Identity → Step-up triggers can be set per resource or per API call.

Practical step: Create conditional rules:

If action = high_risk, then require_fresh_MFA (FIDO2/OTP).
Define a short MFA validity window (e.g., 10 minutes) for critical operations.

Test the Flow Internally (Red Team Style)

Simulate a bank transfer in ERP:
Does the system request a new MFA prompt or just rely on the existing cookie/session?
Access admin portal from a valid session:
Does the IdP demand a second authentication?
Replay stolen cookie (lab test with Burp Suite / ZAP):
Can you bypass step-up by injecting an active session cookie?

Practical step: Involve QA/security testers to verify every “high-risk” flow has a step-up prompt, and cannot be bypassed by cookie replay.

Integrate with Risk-Based Signals

Step-up can be adaptive:

Triggered if login is from a new device, suspicious IP, or abnormal geolocation (“impossible travel”).
Coupled with fraud detection → e.g., multiple failed transfers trigger an MFA step-up.

Practical step: Enable risk-based conditional access in your IdP and SIEM/XDR.

Document & Audit

Document the step-up triggers (e.g., “All payments above €500 require step-up MFA with FIDO2 key”).
Audit logs should show:
- Who performed the step-up challenge.
- Which method was used (hardware key, OTP, push).
- Whether access was granted or denied.

Practical step: Align logs with ISO 27001 Annex A controls (A.8.23 Session monitoring, A.8.27 Secure system access).

Key Takeaway:
At company side, you must:

Define what actions are high-risk.
Configure IdP or ERP workflows to require fresh MFA.
Test via simulated transactions and cookie hijacking attempts.
Integrate with adaptive signals.
Audit to prove compliance & resilience.

Key Takeaway
There isn’t a single “one-click” tool to measure overall security level — because security is multi-layered. The best approach is:

Governance view → Framework-based assessments (ISO 27001/NIST CSF/NIS2).
Identity view → MFA strength reports & phishing simulations.
Infrastructure view → Vulnerability/configuration scanning.
Detection view → BAS and SIEM/XDR monitoring.

Security dashboards may glow green, but attackers aren’t color-blind.
The CEO who felt safe after signing supplier contracts now faces an empty bank account — and a hard lesson:

Checkboxes don’t stop attacks.
Resilience does.

From TIER 3 to TIER 4: Why Checklists Won’t Save You

It’s easy to celebrate TIER 3. Processes are defined, audits are passed, controls are in place. Dashboards look healthy, and the boardroom breathes a sigh of relief.

But here’s the truth: TIER 3 is not resilience.
It’s structure. It’s repeatability. It’s a baseline that proves the machine runs — but it doesn’t yet prove the machine can survive a fire.

The leap to TIER 4 compliance is where most organizations stumble. Because at this stage, it’s not about whether MFA is ticked, or if a policy document exists. It’s about whether the system stands when attackers pivot, when supply chains fracture, or when a session cookie is replayed at 2:00 a.m. from the other side of the world.

That kind of resilience cannot be self-certified.
It demands high-level internal audits that don’t just verify controls, but stress-test them. It requires expert advisory that challenges assumptions, exposes blind spots, and benchmarks your posture against the best — not just the minimum.

TIER 4 is not a paper exercise. It is a state of trust, proven by evidence, validated by experts, and reinforced by constant testing.

If TIER 3 is the promise, TIER 4 is the proof.
And without expert audits and advisory, that proof will never hold.