New Browser-in-the-Middle Attack Bypasses MFA, Steals User Sessions in Seconds

A sophisticated cyberattack technique known as Browser-in-the-Middle (BitM) has emerged, enabling hackers to bypass multi-factor authentication (MFA) and hijack user sessions within seconds. This method exploits web browser functionalities to intercept authenticated sessions, posing a significant threat to organizations relying on traditional security measures. citeturn0search0

In a BitM attack, victims are directed through an attacker-controlled browser that mirrors legitimate websites. When a user visits a malicious site or clicks on a phishing link, their interactions are funneled through this proxy, tricking them into entering credentials and completing MFA challenges. Once authenticated, the attacker captures the session token stored in the browser, effectively stealing the user’s authenticated state.

Key Components of BitM:

• Transparent Proxies:Tools like Evilginx2 or Delusion act as intermediaries between the victim and the target service, modifying HTTP responses to replace legitimate domains with phishing domains, enabling session token extraction.
• Rapid Deployment: BitM frameworks allow operators to target any website quickly. Features such as Firefox profile storage and automatic load balancing simplify large-scale phishing campaigns.
• Real-Time Monitoring: Attackers can observe victim interactions in real-time, enabling immediate session theft upon successful authentication.

BitM attacks are particularly dangerous because they bypass MFA, which many organizations consider their last line of defence. By capturing session tokens, attackers gain persistent access to accounts without needing the victim’s credentials again.

Mitigation Strategies:

1. Hardware-Based MFA (FIDO2): Security keys like YubiKey enforce cryptographic challenges tied to specific domains, preventing attackers from replaying responses across different websites.

2. Client Certificates: Binding authentication to device-specific certificates prevents session reuse on unauthorized devices.

3. Behavioral Monitoring: Detecting unusual login patterns or browser fingerprint discrepancies can flag potential BitM compromises.

4. Security Awareness Training: Educating users to recognize phishing attempts, such as suspicious URLs or unsolicited authentication requests, remains critical.

The emergence of BitM attacks signifies a major shift in cyber threats, utilizing browser functionalities to evade traditional security measures. Security teams globally must urgently address this evolving threat landscape.