Hey Redditors,

I need your advice.

Currently, I'm try to investigate the AiTM attack method in the Microsoft Cloud environment.

Some of my references I get my knowledge from are:

AiTM/ MFA phishing attacks in combination with "new" Microsoft protections (2024 edition) (jeffreyappel.nl)

From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud | Microsoft Security Blog

I recall my previous employer experiencing such an attack. A user received an email with a QR code, scanned it, and subsequently entered their username and password.

According to the user, the subsequent MFA prompt was NOT confirmed. I also remember seeing in the login-logs that MFA was not confirmed.

Despite this, the attacker was able to add a second factor, authenticate, and initiate a BEC.

My question is:

How could the attacker register a second factor and complete the login without full authentication process from the user?

From what I've read online so far, for me it’s not entirely clear how this is possible. Some ressources state that MFA confirmation is required, while others suggest it can be bypassed.

Can someone please explain this to me?

Thanks in advance!