Back to Intelligence

Identity Attacks Overtake Exploits: Defending Against the Rise of MFA Bypass Ransomware

SA
Security Arsenal Team
July 15, 2026
6 min read

The paradigm has shifted. For years, we fortified our perimeters against exploits and unpatched vulnerabilities. But according to the latest threat landscape data, Identity Attacks have officially overtaken software exploits as the primary root cause of encryption-based cyber incidents (ransomware).

Even more alarming is the efficacy gap in our defenses: Multifactor Authentication (MFA) was deployed in 97% of credential-based attacks analyzed last year, yet it failed to prevent the compromise. This statistic confirms what responders on the ground are seeing—it is no longer a question of if your identity infrastructure is targeted, but when your MFA implementation fails against sophisticated techniques like Adversary-in-the-Middle (AiTM) attacks and MFA fatigue.

Technical Analysis

The shift toward identity-based entry points signals a maturity in attacker TTPs. Rather than burning a zero-day on a hardened edge device, adversaries are targeting the human and the trust relationships established in Identity Providers (IdP) like Microsoft Entra ID (formerly Azure AD) and Okta.

The Attack Vector: AiTM and MFA Fatigue

  1. Adversary-in-the-Middle (AiTM) Phishing: Attackers use reverse-proxy phishing kits (e.g., EvilProxy, Naked Pages) to sit between the user and the legitimate login page. When the user enters credentials and approves the MFA prompt, the attacker intercepts the session token (e.g., id_token, access_token). Since the attacker possesses a valid, signed token issued by the legitimate IdP, standard MFA checks pass, and the attacker gains access.

  2. MFA Fatigue (Push Bombing): In scenarios where AiTM is not used, attackers automate login attempts with valid credentials harvested from infostealers or previous breaches. They trigger repeated push notifications to the user's authenticator app. Eventually, the user—fatigued or confused—approves the request to stop the notifications, inadvertently granting access.

Exploitation Status

  • Active Exploitation: Confirmed. This technique is currently the dominant initial access vector for ransomware operations in 2026.
  • Affected Platforms: Cloud Identity Providers (Microsoft Entra ID, Okta, Ping Identity), Email Systems (Microsoft 365, Google Workspace), and SaaS applications relying on federated authentication.

Detection & Response

Defending against this requires a shift from simply "having MFA" to monitoring for anomalies in the authentication flow itself. We need to detect the mechanics of bypass attempts and the immediate post-compromise actions.

SIGMA Rules

The following rules target behaviors indicative of AiTM proxy activity and MFA fatigue spamming in cloud identity logs.

YAML
---
title: Potential MFA Fatigue Attack - Multiple Failures Followed by Success
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects a pattern of multiple failed MFA attempts followed by a success, indicative of MFA fatigue or brute force attacks.
references:
  - https://attack.mitre.org/techniques/T1078/
  - https://www.darkreading.com/identity-access-management-security/identity-attacks-overtake-exploits-top-ransomware-cause
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.credential_access
  - attack.t1078.004
logsource:
  product: azure
  service: signindiagnostics
detection:
  selection:
    ResultDescription|contains:
      - 'MFA denied'
      - 'Strong authentication required'
  timeframe: 15m
  condition: selection | count() > 5
falsepositives:
  - Legitimate users having trouble with authenticator app
level: high
---
title: Suspicious Azure AD Sign-in - AiTM Proxy User-Agent
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects sign-ins where the User-Agent string matches common reverse-proxy tools or generic automation libraries often used in AiTM attacks.
references:
  - https://attack.mitre.org/techniques/T1557/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1557.002
logsource:
  product: azure
  service: signinlogs
detection:
  selection:
    UserAgent|contains:
      - 'Python-urllib'
      - 'Go-http-client'
      - 'Java/'
  filter_legit:
    AppDisplayName|contains:
      - 'Microsoft Office'
      - 'Outlook'
  condition: selection and not filter_legit
falsepositives:
  - Legacy API integrations not updated to modern User-Agent strings
level: medium

KQL (Microsoft Sentinel)

This hunt queries Entra ID sign-in logs to identify "Impossible Travel" events and sign-ins from anonymous IP addresses, which are strong indicators of session token theft or credential stuffing.

KQL — Microsoft Sentinel / Defender
SigninLogs
| where ResultType == 0
| extend LocationDetails = todynamic(LocationDetails)
| evaluate geo_distance_query(IPAddress, LocationDetails.latitude, LocationDetails.longitude)
| where DistanceBetweenPointsInKilometers > 500 and TimeDifference < 15m
| project Timestamp, UserPrincipalName, IPAddress, LocationDetails.city, AppDisplayName, DeviceDetail, AuthenticationDetails
| order by Timestamp desc

Velociraptor VQL

Post-compromise, attackers often dump browser cookies to harvest refresh tokens. This VQL artifact hunts for the export of browser cookie databases (SQLite files) or the execution of known cookie dumping tools.

VQL — Velociraptor
-- Hunt for suspicious access to browser cookie databases
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs='/*/*/Network/Cookies')
WHERE Mtime < now() - 1h  -- Recently accessed cookies

-- Check for processes accessing browser data directories
SELECT Pid, Name, Username, Cmdline
FROM pslist()
WHERE Cmdline =~ 'SQLite' OR Cmdline =~ 'esentutl' OR Cmdline =~ 'copy'
  AND (Cmdline =~ 'Chrome' OR Cmdline =~ 'Edge' OR Cmdline =~ 'Firefox')

Remediation Script

This PowerShell script helps auditors identify if legacy authentication protocols—which often bypass modern MFA controls—are enabled in the tenant, and checks the Conditional Access status.

PowerShell
# Audit MFA and Legacy Auth Status for Microsoft Entra ID
# Requires MSOnline and AzureAD modules or appropriate Graph API permissions

Write-Host "[+] Checking for Legacy Authentication Protocols..." -ForegroundColor Cyan

# Connect to MSOnline if not already connected
# Connect-MsolService

$Policies = Get-MsolPolicy | Where-Object { $_.PolicyType -eq 'LegacyAuthenticationPolicy' }

if ($Policies) {
    foreach ($Policy in $Policies) {
        if ($Policy.IsEnabled) {
            Write-Host "[!] WARNING: Legacy Authentication Policy is Enabled." -ForegroundColor Red
            Write-Host "    Legacy protocols (SMTP, POP3, IMAP) can bypass MFA." -ForegroundColor Yellow
        }
    }
} else {
    Write-Host "[*] No explicit Legacy Authentication Policy found. Ensure Conditional Access blocks these." -ForegroundColor Green
}

Write-Host "[+] Checking Conditional Access Coverage..." -ForegroundColor Cyan
Write-Host "    Manual verification required: Ensure CA policies exist covering 'All Apps' and 'All Users' with 'Require MFA' and 'Block Legacy Auth'."

Remediation

To mitigate the rise of identity-based attacks, organizations must move beyond basic MFA:

  1. Enforce Phishing-Resistant MFA: Implement FIDO2/WebAuthn hardware keys or passwordless methods (e.g., Windows Hello for Business) for all administrative accounts and high-risk users. These are not susceptible to AiTM interception.

  2. Deploy Number Matching: Ensure your MFA solution (Microsoft Authenticator, Duo, etc.) enforces number matching for push notifications. This significantly reduces the success rate of MFA fatigue attacks.

  3. Disable Legacy Authentication: Block legacy protocols (SMTP, POP3, IMAP, AuthBasic) in Exchange Online and Entra ID. These protocols rarely support modern MFA and are easy targets for credential stuffing.

  4. Conditional Access Policies:

    • Require Compliant Devices or Hybrid Azure AD Joined devices for sensitive apps.
    • Implement Access Context policies to detect high-risk sign-ins (impossible travel, anonymous IP).
  5. User Education: Train users specifically on MFA Fatigue—teach them to report unsolicited push notifications rather than approving them to silence the alert.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfiridentity-attacksmfa-bypassphishingentra-id

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.