“Oh, our application is protected against phishing: we have Multi-Factor Authentication (MFA) enabled. An attacker can’t do anything with stolen credentials.” I’ve heard this sentiment more than once when speaking to customers, and they are right—to an extent. Classic phishing attacks are prevented with MFA enforcement.
However, security is a cat and mouse game, and attackers are always evolving. Methods have already been developed to successfully phish users despite the use of MFA. As a red teamer who carries out offensive security testing assessments, I can confirm that this technique works. In fact, it has never failed us.
The good news is that this attack can be prevented. Want to know how?