Munich Datageeks e.V.
Talk "When MFA Isn't Enough"
When MFA Isn't Enough: Dissecting a Sophisticated Phishing Campaign Targeting University Infrastructure

Talk "When MFA Isn't Enough"

Felix Reuthlinger

When MFA Isn't Enough: Dissecting a Sophisticated Phishing Campaign Targeting University Infrastructure by Marleen Steinhoff was presented at Munich Datageeks - June Edition 2025

Abstract

This presentation analyses a recent security breach at our university, showing how attackers bypassed Multi-Factor Authentication (MFA) to access Microsoft 365 accounts. We'll cover our response strategy, including deploying decoy accounts and creating custom response procedures. The talk explores how we detected the attack using honeypot accounts, contained the damage, and coordinated our response efforts using incident response playbooks. We'll also discuss what could have happened without proper mitigation to illustrate the wider impact of these attacks. Attendees will learn practical steps to protect their organizations from similar authentication vulnerabilities and implement effective security measures.

About the speaker

Marleen Steinhoff is a PhD candidate in Cyber Security at Munich University of Applied Sciences. Her research focuses on improving how Machine Learning systems support Cyber Threat Intelligence—collecting, analyzing, and interpreting data about cyber attacks.

Transcript summary

Background and Context

The speaker, Malin, is a PhD candidate in cybersecurity at the SEC lab, a research group led by Thomas Schreck at the Munich University of Applied Sciences. Her research initially focused on training models for cyber threat intelligence but shifted toward data quality, collection, analysis, and interpretation. The talk presents a real incident that occurred at their university on June 6th, analyzing the attack methods and defense strategies.

The MITRE ATT&CK Framework

MITRE ATT&CK is a widely-used framework for understanding cyber attacks through a granular and practical approach. Attacks can be broken down into three main phases:

  1. Initial Foothold - How attackers gain entry into the network
  2. Network Propagation - How attackers move through the network (including lateral movement between servers)
  3. Out of Network - Actions on objectives, such as data exfiltration

The framework organizes attacks using two key concepts:

  • Tactics represent what attackers are trying to achieve (the why/goal)
  • Techniques define how attackers achieve their goals (the how)

The framework is built from actual adversary behaviors observed in real-world attacks rather than theoretical research. It addresses the full spectrum of IT infrastructure across different domains, with this talk focusing on the enterprise domain. The framework is continuously updated with new releases every six months, currently at version 17.1.

Attack sequences are not linear but can include loops and jumps back to earlier stages. For example, after gaining initial access and establishing persistence, attackers may return to reconnaissance to discover additional resources in the network.

Phishing Technique Example

The framework provides detailed information for each technique. Using phishing as an example, which belongs to the Initial Access tactic:

  • Abstract definitions describe what the attack does
  • Phishing can occur through various methods beyond email, including phone calls directing victims to malicious URLs
  • Mitigations are provided, such as user training to identify social engineering and phishing attempts
  • Detection methods are specified, such as monitoring application logs
  • Platform compatibility is listed, as not every technique applies to every platform

The framework enables building knowledge graphs by mapping data sources to detection methods and linking them to techniques, helping security teams identify where to look when detecting specific attack techniques.

The Attack: Initial Access via Phishing

On Friday afternoon, June 6th around 2 PM, employees received a phishing email during a time when people were typically in meetings and task-saturated. The email appeared legitimate with several convincing elements:

  • Display name mimicking the university
  • Subject line about releasing messages
  • Sender address from oges@bu.edu (Boston University), which appeared trustworthy
  • Professional-looking content stating the recipient had 12 messages to retrieve with a button to click

The attackers either compromised this Boston University account or used email spoofing, where the display name can be set arbitrarily in the email header as it is just a string field. The email reached over 1,200 employees.

Suspicious indicators that were less obvious included:

  • A time mismatch between when the email was received and when the content was created (approximately 2-3 hours, possibly accounting for the six-hour time difference from Boston and deliberate timing for Friday afternoon delivery)
  • The URL behind the button used a sophisticated trick: it included "hm.edu" (the university's domain) as a prefix before the @ symbol in the URL, which is technically valid but highly unusual. The actual domain was "url.emailprotection" (controlled by the attackers), with a unique identifier hash at the end.

This social engineering technique was sophisticated enough to deceive even trained individuals.

Credential Access: Multi-Factor Authentication Interception

After employees clicked the phishing link, they were directed to a fake Microsoft 365 login page that convincingly replicated the authentic three-step authentication process:

  1. Email entry
  2. Password entry
  3. TOTP (Time-based One-Time Password) entry

The TOTP is a time-limited code, typically valid for only 60 seconds, generated by an authenticator app. The fake login page was designed to capture all three pieces of information. The attackers then automatically forwarded these credentials to the real Microsoft 365 login page within the 60-second validity window (likely with only 20-30 seconds remaining), requiring complete automation.

This technique is specifically identified in MITRE ATT&CK as Multi-Factor Authentication Interception under the Credential Access tactic.

Persistence: Account Manipulation

After successfully logging into the legitimate Microsoft 365 account using the intercepted credentials, the attackers immediately added their own credentials to the compromised accounts. This entire process occurred within seconds and was fully automated.

By adding their own credentials, attackers established persistence, allowing them to access the accounts at will without needing to conduct additional phishing campaigns. This technique is classified as Account Manipulation in the MITRE ATT&CK framework.

The Tool: Evilginx

The attack was facilitated by Evilginx, a free open-source tool available on GitHub. This tool functions as a reverse proxy specifically designed for phishing campaigns and automates the multi-factor authentication interception process. The repository includes comprehensive documentation with step-by-step instructions. The tool's creator even offers an Evilginx Mastery training course online.

The tool includes a disclaimer stating it should only be used for penetration testing, though the speaker questions the legitimate need for a reverse proxy to send phishing emails during authorized penetration tests, noting that companies typically provide test accounts for such purposes.

Attack Sequence Recap

The complete attack chain demonstrated the non-linear nature of cyber attacks:

  1. Phishing (Initial Access tactic) - the email campaign
  2. Multi-Factor Authentication Interception (Credential Access tactic) - capturing the TOTP token through the fake login page
  3. Account Manipulation (Persistence tactic) - adding attacker credentials to compromised accounts

This sequence shows a loop from credential access back to initial access through persistence, illustrating that attacks don't follow a simple linear progression.

Defense Strategy: The Cybersecurity Playbook

The university's response followed a cybersecurity playbook, which is a written document defining and coordinating response steps for specific scenarios. The phishing playbook included:

1. Information Email to Employees

The security team immediately sent a warning email to all employees after the phishing email was reported. However, only 1-2% of recipients opened this warning email, and it didn't prevent button clicks on the phishing email.

2. Technical Blocking Measures

The team attempted to block the fake website through various technical means. These steps are highly dependent on existing infrastructure and can be challenging to implement comprehensively. For example, Sentinel One only runs on managed Windows laptops, leaving unmanaged devices (like MacBooks) unprotected.

3. Responding to Employee Reports

This is emphasized as the most important and time-consuming step in the entire defense process. The attack was only discovered because employees reported it. Key principles include:

  • Thanking employees who report suspicious activity
  • Supporting affected individuals
  • Ensuring all employee communications receive responses
  • Maintaining awareness about whom to contact when incidents occur

The attack was successfully mitigated without damage specifically due to employee awareness and reporting. This response process kept the security team occupied for hours but was critical to the defense.

Honeypot Analysis

Although not part of the official playbook, the security team created a fake user account to analyze the attack, functioning as a honeypot. This creative approach was necessary because only two employees actually entered their TOTP tokens, and in both cases, the tokens expired before the credential manipulation could occur, leaving no compromised accounts to examine.

By creating the fake user account, clicking through the phishing process, and entering a TOTP token, the team observed how the attackers automatically added multiple credentials to the account. This honeypot approach revealed the full extent of the attack's automated credential manipulation capability.

Potential Attack Continuation

Had the attack not been stopped, several additional steps were possible using the MITRE ATT&CK framework:

  1. Cloud Service Discovery - Identifying connected services like OneDrive through the Microsoft 365 account
  2. Lateral Movement - Exploiting remote services to access OneDrive
  3. Collection - Gathering data from cloud storage
  4. Exfiltration - Removing data from the web service

Attackers prefer using existing infrastructure (like OneDrive) and legitimate communication channels (like TLS-encrypted web services) because the encryption that protects legitimate users also protects malicious activities.

Breaking the Kill Chain

The term kill chain originates from military terminology for documenting attack sequences. The defense strategy focused on breaking the chain at critical points:

  • The phishing emails themselves couldn't be prevented (1,500+ were sent)
  • Primary defense: User awareness - preventing employees from reaching the multi-factor authentication interception stage
  • Secondary defense: Rapid response - stopping account manipulation once the attack is detected

Breaking the chain early is crucial because finding evidence and stopping attacks becomes extremely difficult once attackers establish persistence in the network.

Using MITRE ATT&CK for Attribution

The seven techniques used in this attack (phishing, multi-factor authentication interception, account manipulation, cloud service discovery, lateral movement, collection, and exfiltration) can be mapped to specific mitigations, detections, and data sources.

The specific combination of techniques is often characteristic of particular APT (Advanced Persistent Threat) groups. Attackers are human and have limitations in their knowledge of programming languages, specializations in front-end or back-end technologies, and varying capabilities. By analyzing the technique combinations, security teams can potentially identify which attacker group was responsible, as these patterns serve as fingerprints.

This approach enables building knowledge graphs that map relationships between techniques, capabilities, and threat actors.

Data Sources and Limitations

Network traffic is a valuable data source for detecting both phishing and exfiltration. However, enterprise networks typically encrypt traffic for privacy reasons, and security teams cannot and should not break this encryption. Therefore, other data sources become critical, such as the phishing email file itself.

User training remains one of the most important mitigations against phishing, which is frequently the first step into networks. Some techniques, like Cloud Service Discovery, have no effective mitigation because once attackers have access to an email account, they can simply observe what services are linked—there's no way to prevent this reconnaissance.

Lessons Learned: Awareness Training Effectiveness

Statistical evidence demonstrates the importance of security awareness training:

  • Previous attack: 9 out of 900 employees (1%) clicked the phishing link—already very low compared to typical post-training rates of 7-8%
  • This attack: 2 out of 1,216 employees (0.16%) completed the full authentication process—an exceptionally low rate
  • Subsequent attack (one week later): Zero employees clicked—possibly due to heightened awareness (though non-reading of emails remains another possibility)

Lessons Learned: Passkeys as the Solution

The university is transitioning from TOTP-based multi-factor authentication to passkeys. Passkeys fundamentally solve the vulnerability exploited in this attack through their technical design:

  • Passkeys contain a private key that remains exclusively on the physical device
  • The website receives only the public key
  • The browser binds the passkey to a specific website domain (the relying party)
  • The passkey cannot function on a fake website with a different URL because the domain is cryptographically verified

This domain verification occurs automatically and doesn't rely on users manually checking URLs behind buttons—a task that proves impractical in real-world scenarios given time constraints and cognitive load.

The attack described would have been impossible with passkeys because the domain verification would have failed on the attacker's fake login page. This technical control removes the human element from URL verification, making it the speaker's primary recommendation for preventing similar attacks.

Key Takeaway

Security awareness training remains critical, but technical controls like passkeys provide a more robust defense by eliminating entire attack vectors rather than relying solely on human vigilance.