Social Engineering MFA Bypass Surge: Attackers “Invite” Themselves Into IAM Systems
What Happened — Cisco Talos reports a dramatic rise in MFA‑spray and “invite‑in” attacks where threat actors manipulate victims into revealing one‑time authentication codes. Phishing kits proxy legitimate login pages and real‑time voice‑social‑engineering tricks harvest MFA tokens, granting attackers valid sessions.
Why It Matters for TPRM —
- MFA is a cornerstone control for third‑party access; its compromise nullifies segmentation and authentication safeguards.
- A successful “invite‑in” attack can give adversaries unfettered access to vendor portals, cloud environments, and supply‑chain systems.
- The 178 % surge in fraudulent device registrations signals a broader push to subvert identity‑centric defenses across multiple industries.
Who Is Affected — Enterprises relying on IAM platforms, SaaS providers, MSPs, and any organization that enforces MFA for third‑party access.
Recommended Actions — Review MFA implementation for phishing resistance, enforce out‑of‑band verification, deploy anti‑phishing training focused on real‑time code requests, and monitor for anomalous device registration activity.
Technical Notes — Attack vector: phishing (voice‑social‑engineering, credential‑phishing kits) that captures valid MFA tokens. No specific CVE cited. Data at risk includes privileged credentials and session tokens, enabling lateral movement and data exfiltration. Source: Cisco Talos – “You have to invite them in”