Threats from the Wild - Episode 3: Multi-Factor Authentication (MFA) Bypass 101: Pass-the-Cookie/Pass-the-Identity (PTC/PTI) Attack Detection Using Logs


The significant increase in remote work/work-from-home (WFH) over the past year as well as the recent high-profile attacks bypassing MFA that involved Solarwinds and cloud providers have heightened the need for the blue teams to better understand and detect attempts by the malicious threat actors to bypass MFA.

In this presentation, Oleg Kolesnikov, VP of Threat R&D/Securonix Threat Labs, will provide some of the key technical insights into the latest MFA bypass attacks carried out by malicious threat actors in the wild, including:

  • Introduction to MFA bypass attacks in context of WFH focusing on pass-the-cookie/pass-the-identity (PTC/PTI) attack vectors.
  • Latest observations from the wild including attack tools and examples of how malicious threat actors can use PTC/PTI to compromise MFA-enabled accounts, e.g. Azure, Github, etc.
  • Demo of an PTC attack in action.
  • What possible PTC/PTI attacks might look like in your cloud and EDR logs.
  • Some insights into the relevant detection/hunting use cases to help you increase the chances of detecting such attacks in your environments.