Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Credential Access
  4. >ATTACK-T1111
ATTACK-T1111Active

Multi-Factor Authentication Interception

Statement

Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.

If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)

Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)

Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.(Citation: Okta Scatter Swine 2022)

Location

Tactic
Credential Access

Technique Details

Identifier
ATTACK-T1111
ATT&CK Page
View on MITRE

Tactics

Credential Access

Platforms

LinuxWindowsmacOS

Detection

Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying

Mitigations

User Training: User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

  • Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.
  • Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

  • Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
  • Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

  • Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

  • Include cybersecurity training as part of the onboarding process for new employees.
  • Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

  • Update training materials to include emerging threats and techniques used by adversaries.
  • Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

  • Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
  • Discuss how specific employee actions can prevent or mitigate such attacks.
SP 800-53
SP800-53-CA-7relatedvia ctid-attack-to-sp800-53
SP800-53-CM-2relatedvia ctid-attack-to-sp800-53
SP800-53-CM-6relatedvia ctid-attack-to-sp800-53
SP800-53-IA-2relatedvia ctid-attack-to-sp800-53
SP800-53-IA-5relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Credential Access
Credential Access62 controls
ATTACK-T1003OS Credential DumpingATTACK-T1003.001LSASS MemoryATTACK-T1003.002Security Account ManagerATTACK-T1003.003NTDSATTACK-T1003.004LSA SecretsATTACK-T1003.005Cached Domain CredentialsATTACK-T1003.006DCSyncATTACK-T1003.007Proc FilesystemATTACK-T1003.008/etc/passwd and /etc/shadowATTACK-T1040Network SniffingATTACK-T1110Brute ForceATTACK-T1110.001Password GuessingATTACK-T1110.002Password CrackingATTACK-T1110.003Password SprayingATTACK-T1110.004Credential StuffingATTACK-T1111Multi-Factor Authentication InterceptionATTACK-T1187Forced AuthenticationATTACK-T1212Exploitation for Credential AccessATTACK-T1528Steal Application Access TokenATTACK-T1539Steal Web Session CookieATTACK-T1552Unsecured CredentialsATTACK-T1552.001Credentials In FilesATTACK-T1552.002Credentials in RegistryATTACK-T1552.003Shell HistoryATTACK-T1552.004Private KeysATTACK-T1552.005Cloud Instance Metadata APIATTACK-T1552.006Group Policy PreferencesATTACK-T1552.007Container APIATTACK-T1552.008Chat MessagesATTACK-T1555Credentials from Password StoresATTACK-T1555.001KeychainATTACK-T1555.002Securityd MemoryATTACK-T1555.003Credentials from Web BrowsersATTACK-T1555.004Windows Credential ManagerATTACK-T1555.005Password ManagersATTACK-T1555.006Cloud Secrets Management StoresATTACK-T1556Modify Authentication ProcessATTACK-T1556.001Domain Controller AuthenticationATTACK-T1556.002Password Filter DLLATTACK-T1556.003Pluggable Authentication ModulesATTACK-T1556.004Network Device AuthenticationATTACK-T1556.005Reversible EncryptionATTACK-T1556.006Multi-Factor AuthenticationATTACK-T1556.007Hybrid IdentityATTACK-T1556.008Network Provider DLLATTACK-T1556.009Conditional Access PoliciesATTACK-T1557Adversary-in-the-MiddleATTACK-T1557.001LLMNR/NBT-NS Poisoning and SMB RelayATTACK-T1557.002ARP Cache PoisoningATTACK-T1557.003DHCP SpoofingATTACK-T1557.004Evil TwinATTACK-T1558Steal or Forge Kerberos TicketsATTACK-T1558.001Golden TicketATTACK-T1558.002Silver TicketATTACK-T1558.003KerberoastingATTACK-T1558.004AS-REP RoastingATTACK-T1558.005Ccache FilesATTACK-T1606Forge Web CredentialsATTACK-T1606.001Web CookiesATTACK-T1606.002SAML TokensATTACK-T1621Multi-Factor Authentication Request GenerationATTACK-T1649Steal or Forge Authentication Certificates