All Articles

Weekly CISO Podcast Pick - Authentication Proxy Attacks: Detection, Response and Hunting

Posted by Biswajit Banerjee on December 18, 2025 at 6:54pm in Blog

Member Contribution • Weekly CISO Podcast Pick

This Week’s Pick by David B. Cross (CISO, Atlassian)

Series curated by the CISO Platform community. Spotlighting practical listens for security leaders and their teams.

Why MFA no longer stops modern phishing

Most enterprises have deployed MFA. Attackers adapted. Authentication proxy attacks allow adversaries to let MFA succeed while stealing session tokens in real time. The user logs in successfully. The attacker logs in too.

Featured session — Chris Merkel (Senior Director, Cyber Defense)
Delivered at BSides • Focus on real-world MFA bypass, token theft and identity defense.
Session excerpt • Authentication Proxy Attacks
⏱ ~14 min read Focus: MFA bypass • token theft • detection • response • hunting

Why this matters to CISOs

  • MFA success does not mean safety. Attackers steal session tokens after MFA completes.
  • User awareness breaks down. Login pages are real, branding is real and sessions look normal.
  • Encrypted email is abused. Trusted secure-message systems are now delivery vehicles.
  • Soft resets fail. Password changes alone do not invalidate stolen tokens.
  • Identity is the new perimeter. Detection and response must shift accordingly.

Copy-paste takeaways for your team

  • MFA proxy attacks allow full user login while stealing session tokens.
  • Successful MFA can still represent account compromise.
  • Encrypted email platforms increase attacker credibility.
  • Token replay enables multi-day access without reauthentication.
  • Correlation beats single alerts for detection.

Standout ideas from the session

  • Phishing-resistant MFA matters. Not all MFA stops token theft.
  • Security awareness has limits. Expecting users to catch this is unrealistic.
  • Attackers use SaaS tooling. These are commoditized, not elite techniques.
  • Conditional Access is the new firewall. Powerful but easy to misconfigure.

Try these in the next 7 days

  1. Log review: Correlate MFA success with unusual access behavior.
  2. Session revocation drill: Validate you can fully invalidate tokens fast.
  3. Email review: Audit encrypted messaging configurations.
  4. CA policy check: Re-evaluate Conditional Access logic and inheritance.
  5. Attack simulation: Test MFA proxy attacks internally.
 

About David B. Cross

David B. Cross is Chief Information Security Officer at Atlassian. Before Atlassian he held senior security leadership roles at Microsoft, Google and Oracle and began his career in US Navy aviation and electronic warfare. His work focuses on building engineering centric security programs, scaling security operations and helping the next generation of practitioners build meaningful careers.

 

Want your pick featured next?

We are building a rotating slate of member recommendations from USA, Middle East and India. If you are a CISO or security leader, submit a link and 3 bullets on why it matters for other security teams.

Submit your recommendation (Members)

How we choose

  • Short, actionable outcomes for CISO teams
  • No product pitches
  • Useful beyond one region or vertical
  • Clear ideas that help security leaders explain risk, influence stakeholders and grow their teams

 

Share this with your team

 
Views: 30
Tags: weekly podcast, david cross, proxy attacks, detection, response, hunting
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Biswajit Banerjee

Community Manager, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)