NZ Incident Response Bulletin – March 2025

The Rising Threat: MFA Token Theft and Email-Based Remote Access Tool Infections

As organisations continue to strengthen their security postures, attackers are evolving their methods to bypass traditional defenses. Two growing trends we have seen in this space include firstly, the theft of multifactor authentication (MFA) tokens and secondly, the distribution of remote access tools (RATs) via email. These sophisticated tactics enable attackers to silently gain persistent access to corporate networks, often evading standard detection mechanisms.

Understanding the Threat Landscape

1. MFA Token Theft

Multifactor authentication has been a cornerstone of modern cybersecurity, but threat actors have developed methods to intercept and hijack session tokens, effectively bypassing MFA protections.

How it happens:

  • Session Hijacking: Attackers use phishing emails or malicious links to trick users into logging into fake portals. Once credentials and MFA tokens are entered, attackers harvest session cookies, allowing them to impersonate the user.
  • Malware & Info Stealers: Keyloggers and advanced malware can exfiltrate authentication tokens stored in browsers or memory.
  • Reverse Proxy Tools (e.g., Evilginx2): These mimic legitimate login pages and relay authentication requests in real-time, capturing both credentials and tokens.

Preventing MFA Token Theft

  • Use FIDO2/WebAuthn Authentication: Replace SMS or TOTP-based MFA with phishing-resistant methods like hardware tokens (e.g., YubiKey) or biometric-enabled security keys.
  • Implement Conditional Access Policies: Require re-authentication for sensitive applications or sessions and monitor for anomalies like impossible travel.
  • Session Management Controls: Limit token lifespan, implement revocation policies, and monitor for concurrent logins from different geographies.
  • Advanced Email Filtering: Block phishing emails that host fake login portals or redirect to credential harvesting sites.

2. Email-Distributed Remote Access Tools (RATs)

Cybercriminals are increasingly using email as a vector to distribute stealthy RATs, which grant full control over compromised systems.

How it happens:

  • Malicious Attachments: Attackers embed RATs in office documents with macros or scripts that run upon opening.
  • Embedded Links: Emails lure users into clicking links that download and install RAT payloads.
  • Trusted Spoofs: Messages appear to come from legitimate vendors, internal departments, or known contacts, increasing the success rate.

Once installed, RATs allow adversaries to obtain login credentials, access or exfiltrate sensitive data, move about within the technology systems and install additional malware (e.g., ransomware or info stealers).

Defending Against RAT Infections via Email

  • Email Security Gateways & Sandboxing: Scan attachments and links in a secure environment before delivery.
  • Endpoint Detection and Response (EDR): Detect and isolate suspicious behaviours, such as unauthorised remote access or unusual process execution.
  • User Awareness Training: Equip users with the ability to spot suspicious attachments and phishing attempts.
  • Application Whitelisting: Block unapproved executable files from running on endpoints.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.