216.73.217.22

T1111: T1111

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID
T1111
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:12
Author / Source
The MITRE Corporation

Aliases

Multi-Factor Authentication Interception

Platforms

windows macos linux

Description

Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. If a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users’ phones.(Citation: Okta Scatter Swine 2022)

Kill chain phases

Kill chainPhase
mitre-attack credential-access

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (8)

  • Chimera uses
    The MITRE Corporation Confidence 100

    [Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • LAPSUS$ uses DEV-0537Strawberry Tempest
    The MITRE Corporation Confidence 100

    [LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • APT28 uses IRON TWILIGHTSNAKEMACKEREL
    The MITRE Corporation Confidence 100

    [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 08/04/2026 13:02
  • APT42 uses
    The MITRE Corporation Confidence 100

    [APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • CozyDuke uses IRON RITUALIRON HEMLOCK
    The MITRE Corporation Confidence 100

    [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • Kimsuky uses Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • BlueDelta uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:08 · Modified 21/12/2025 05:08
  • APT 42 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:50 · Modified 20/12/2025 21:50

Malware (17)

  • Sykipot
  • httd uses
    Family
    Published 18/03/2026 10:51 · Modified 18/03/2026 10:51
  • HeadLace uses
    Family
    Published 05/08/2024 08:30 · Modified 05/08/2024 08:30
  • Linux uses
    Family
    Published 15/10/2024 17:58 · Modified 15/10/2024 17:58
  • Pineflower
  • Windows uses
    Family
    Published 15/10/2024 17:58 · Modified 15/10/2024 17:58
  • SLOWPULSE
  • AIX uses
    Family
    Published 15/10/2024 17:58 · Modified 15/10/2024 17:58
  • QUIETEXIT uses
    Family The MITRE Corporation Confidence 100

    [QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:36 · Modified 27/03/2026 01:03
  • SpyPress.Roundish uses
    Family
    Published 18/03/2026 10:51 · Modified 18/03/2026 10:51
  • SpyPress.ZIMBRA uses
    Family
    Published 17/03/2026 15:40 · Modified 17/03/2026 15:40
  • Coinbase API
  • reGeorg
  • VineThorn
  • Shai-Hulud 2.0 uses
    Family
    Published 27/11/2025 03:00 · Modified 27/11/2025 03:00
  • TrojanSpy uses
    Family
    Published 25/03/2025 21:10 · Modified 25/03/2025 21:10
  • FASTCash uses
    Family
    Published 17/10/2024 09:57 · Modified 17/10/2024 09:57

Reports (6)

Vulnerabilities (CVE) (1)

CVE-2025-66376 KEV
7.2 High

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability in the Classic UI where attackers could abuse Cascading Style Sheets (CSS) …

Attack vector
NETWORK
Published
05/01/2026
Modified
19/03/2026
Received

Course Of Action (1)

  • User Training mitigates

Tool (1)

  • evilginx2 uses
    The MITRE Corporation Confidence 75

    [evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web …

    Published 30/01/2026 21:15 · Modified 04/05/2026 16:31

Campaign (2)

  • Leviathan Australian Intrusions uses
  • Operation Wocao uses