1. Home
  2. /
  3. Kunnskapsbank
  4. /
  5. Cyberattack via supplier: How hackers bypass MFA and steal access

Cyberattack via supplier: How hackers bypass MFA and steal access

What is a supply chain attack via email? A supply chain attack via email involves attackers first hacking a supplier or partner, then using their account to send file shares that trick employees into logging into fake pages. The attack often bypasses MFA through a technique called AiTM (Adversary-in-the-Middle).

How does a supply chain attack via email work?

The attack thus starts with an external party. It could be your accounting consultant, marketing agency or another supplier who has access to documents or other shared communication.

When the external account is hacked, it is used to share files via e.g. SharePoint, OneDrive, Dropbox or similar. What makes this approach so effective is that the notifications are often genuine and come from legitimate senders. The document is often customised with filenames like "Updated contract" or "Project plan". An employee is asked to log in to view the file and in this way grants access even with MFA activated.

"When criminals combine automation with modern AI tools, they can carry out attacks that previously would have required many hours of manual work. Now they analyse email history, understand relationships and generate credible files and filenames in seconds. With these tools, they attack everything and everyone, all the time," says Gaute Meland, Senior IT Operations Consultant, Nordlo Bergen

Why MFA isn't always enough

When the user logs in to view the file, the critical moment occurs: the attacker copies the session information in real time. For the employee, the login looks completely normal, even with two-factor authentication enabled. The attacker takes over a valid session and gains the same access as the user.

"AiTM does not undermine MFA itself; it exploits the fact that the user trusts a login window that looks completely genuine. As long as we have to be able to log in somewhere, there will always be a way in for attackers. Therefore, technical measures must be combined with training," continues Gaute Meland.

Gaute Meland, Senior IT Operations Consultant, Nordlo Bergen

Consequences of a Successful Supply Chain Attack

When attackers have a valid session, they can read and send emails in the user's name, set up hidden forwarding rules, change payment information in ongoing transactions, and use the account to spread the attack further, both internally and to your customers and partners.

The activity often resembles legitimate use, which also means it can take weeks before someone discovers the intrusion. The longer the attacker has access, the greater the damage.

How to Protect Your Company Against Supply Chain Attacks

The defence must be twofold, both human and technical.

Training and Awareness:

On the human side, it's about creating a culture where employees dare to question what they see on the screen. This requires training and an open environment. Show concrete examples of how attacks can look and how they can verify unexpected sharing when suspecting intrusion attempts.

Technical Measures:

On the technical side, there are several layers that together create stronger protection.

  1. Risk-based account protection. Automatically reacts to unusual logins from unexpected locations, unknown devices or at unusual times.
  2. Disable legacy authentication. Old login methods often lack support for MFA and are a common way in for attackers.
  3. Restrict external sharing. Require extra approval for sensitive files and ensure employees only have access to what they need.
  4. Ongoing monitoring. Monitor email rules, account behaviour and login activity, and have effective incident management in place.

"Many organisations already have security functionalities they do not fully utilise. When good technical measures are combined with employees who know what to look for, you are much stronger against this kind of attack," concludes Gaute Meland.

We Help You Secure the Supply Chain

Nordlo can map your vulnerabilities and deliver a prioritised action plan, from technical setup to ongoing monitoring and training of employees.

5 common questions and answers about cyberattacks we supplier

  • What is a supply chain attack?
    A supply chain attack involves attackers entering your organisation by first compromising one of your suppliers, partners, or other trusted external party.
  • What does AiTM (Adversary-in-the-Middle) mean?
    AiTM is an attack technique where the attacker positions themselves between the user and the service to capture login credentials and session information in real-time, even when MFA is enabled.
  • Why does MFA not protect against AiTM attacks?
    MFA protects against stolen passwords, but AiTM captures the entire session after the user has logged in. The attacker thus obtains a valid session without needing the password or one-time code.
  • How do I know if our company has been affected?
    Common signs are unexpected forwards in the mailbox, logins from unusual locations, or contacts reporting strange emails from you. Ongoing monitoring is crucial for early detection.
  • What is the most important thing we can do to protect ourselves?
    Combine technical measures, such as risk-based account protection, restricted external sharing, and monitoring, with regular training that shows concrete examples of what the attacks look like.
Get in touch and we'll tell you more about how you can strengthen your protection

Cyberattack via supplier: How hackers bypass MFA and steal access

Download interview

This is how Nordlo processes your personal data and uses cookie-like technology

We at Nordlo Group AB will process the information you provide to respond to your request and to provide marketing information. We also use the information to identify your interests to tailor our communication to suit you.

When we send you newsletters, we also use cookies and personal data to improve our e-mails. We do this by analyzing information about your IP-address and information about interactions with our newsletters.

By clicking “send”, you consent to our processing of your personal data for the above purposes. Giving your consent is always voluntary, and you can withdraw your consent at any time by contacting us at info@nordlo.com. You as well have several other rights, e.g. the right to obtain access to the personal data we are processing about you and the right to object to the tailoring of our communication.

Read more in our privacy policy and our cookie policy.

This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
This field is hidden when viewing the form
Show link (Admin)*
En person i grå hoodie ler medan hen tittar på en mobiltelefon utomhus.

Subscribe to our newsletter!

Slik behandler Nordlo dine personopplysninger og bruker informasjonskapsellignende teknologi

Vi på Nordlo Group AB kommer til å bruke den informasjonen du gir oss for å svare på din henvendelse og for å tilby markedsføringsinformasjon. Vi bruker også informasjonen for å identifisere dine interesser slik at vi kan tilpasse vår kommunikasjon til deg.

Når vi sender nyhetsbrev, bruker vi også informasjonskapsler og personopplysninger for å ytterligere forbedre våre e-postmeldinger. Dette gjøres ved å analysere informasjon om din IP-adresse og dine interaksjoner med våre nyhetsbrev.

Ved å klikke på «send», samtykker du til vår behandling av dine personopplysninger for de nevnte formålene. Å gi ditt samtykke er alltid frivillig, og du kan når som helst trekke tilbake ditt samtykke ved å kontakte oss på info@nordlo.com. Du har også flere andre rettigheter, for eksempel retten til å få tilgang til de personopplysningene vi behandler om deg og retten til å motsette deg til tilpasningen av vår kommunikasjon.

Les mer i vår personvernpolicy og vår informasjonskapselvillkår.

Related articles

Blog
Public sector
Cloud and infrastructure
Digital business development

AI in the public sector: How to get started safely and legally

Read more
Blog
Public sector
Security

Status report: Digitisation, threats and opportunities in the public sector

Read more
Blog
Public sector
Security

Guide for the public sector: What is the minimum level according to the Cybersecurity Act and how do you get there?

Read more
All knowledge posts

This website uses cookies and personal data

When you visit https://nordlo.com, we at Nordlo Group AB use cookies and your personal data. Some cookies and some processing of personal data are necessary, while you choose whether to consent to others. You make your choice below. Your consent is entirely voluntary.

You have certain rights, such as the right to withdraw your consent and the right to lodge a complaint with a supervisory authority. Read more in our cookie policy and our privacy policy.

Manage your cookie-settings

Cookies and personal data that we use for analysis

Check to consent to the use of Cookies and personal data that we use for analysis

To analyse how you use our website, we use cookies from Google and HubSpot's analytics service. We also process your personal data, e.g. your encrypted IP address, your geographical location and other information about how you use the website. 

Cookies and personal data that we use for marketing

Check to consent to the use of Cookies and personal data that we use for marketing

We use cookies and your personal data to display relevant marketing and to follow up on such marketing when you visit other websites or social media. We do this with the aid of Google, Facebook, HubSpot and LinkedIn. The personal data that we process for marketing purposes include your IP address, information about how you use the website and information that these services already have about you.  

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data