CypherCon 2023

The Call’s Coming from Inside the House: Authentication Proxy Attacks: Detection, Response and Hunting

Chris Merkel


Over five years ago, evilnginx was released, demonstrating the ease of stealing authentication session tokens from MFA-enabled logon processes with a simple reverse proxy. Despite being a well-known technique, few of these attacks were seen in widespread use among cybercrime threat actors, until recently.

The advent of the EvilProxy and similar platforms has given attackers the ability to compromise targets with strong authentication without resorting to burdensome SIM swapping or noisy push fatigue attacks. With nascent adoption rates of phish-resistant MFA outside government-aligned sectors, organizations need to know how to detect and respond to these attacks.

In this talk, we will provide an in-depth look at the tactics, tools and procedures (TTPs) used by threat actors to effect account-takeover of MFA-enabled accounts. We’ll demonstrate how the ingenuity of this attack has a fatal flaw at its core, allowing us to hunt, detect, mitigate and block this type of attack.

Importance: The overall philosophy of the presenters is that “everyone can cook”, which is that teams don’t have to be highly mature or sophisticated to take what they’ve learned and have a shot at protecting their organizations.

In this case, I’m applying that same perspective toward a novel, advanced and highly successful attack technique.

Attendees will be provided with actionable guidance on how to implement a comprehensive plan for addressing MFA proxy attacks. This includes:

– Being prepared for an authentication proxy attack by understanding how it differs from other account takeover methods.

– Understanding all the different ways these attacks can be detected, allowing them the ability to select and implement detections most suited to their environment.

– Seeing a demonstration of how purple team tactics, adversarial simulation and threat intelligence pipelines can be used to model, execute and implement improved detections and mitigations.

Chris Merkel

Inside the house?!

Chris Merkel lead’s Northwestern Mutual’s Incident Response, Insider Risk and Detection Engineering functions. Beyond his current role, he has had a distinguished career in cybersecurity, leading global organizations and solving cutting-edge challenges in cloud security, appsec, product security, threat-informed defense strategies and automated assurance methodologies. Chris is passionate about professional development, organizing career villages, performing career counseling, mentoring and being actively involved in helping non-traditional students get their start in cybersecurity.