Industry Insight: How Attackers Bypass Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) has become an essential defense layer in today's cybersecurity landscape, significantly reducing the risks associated with compromised credentials. Research shows that MFA can block up to 99.9% of automated attacks and over 66% of targeted attacks. Yet, as organizations increasingly adopt MFA solutions, sophisticated threat actors continue to develop and refine techniques to circumvent these protections.

This article examines the technical mechanisms used by advanced threat actors to bypass MFA systems and provides actionable strategies to strengthen your authentication security posture. Understanding these bypass techniques is crucial for security professionals designing robust defense strategies for their organizations.

MFA fatigue attacks (also known as "prompt bombing") leverage human psychology and user frustration. Attackers repeatedly trigger authentication requests to the legitimate user's device, hoping they'll eventually approve one to stop the barrage of notifications.

Technically, attackers implement this by using credential stuffing or brute force attacks against usernames with automated scripts. They specifically target authentication APIs for platforms like Microsoft 365, Okta, and Duo to generate push notifications. Specialized automation tools such as Evilginx2 can be configured to repeatedly trigger MFA prompts, creating a persistent stream of authentication requests that wear down user resistance.

The September 2022 Uber breach demonstrates this technique's effectiveness. Attackers bombarded an Uber contractor with numerous MFA push notifications until the user approved one, granting access to internal systems that led to a company-wide compromise.

Unlike traditional phishing that simply captures credentials, AiTM attacks use proxy tools to intercept and relay both the authentication process and MFA verification in real-time.

In a typical implementation, attackers deploy reverse proxy tools like Evilginx2, Modlishka, or Muraena on domains they control, complete with SSL certificates that mimic legitimate services. When users interact with the proxy, it forwards their requests to the actual service and relays responses back, creating a seamless experience that's difficult to detect. These sophisticated tools capture not just credentials but also session cookies and authentication tokens. What makes these attacks particularly dangerous is that these proxies can intercept and relay even hardware token responses, though they cannot bypass FIDO2/WebAuthn implementations that verify site bindings.

Microsoft recently reported that over 10,000 organizations have been targeted by AiTM phishing campaigns since September 2021, demonstrating the widespread use of this technique.

SIM swapping targets SMS-based MFA by transferring a victim's phone number to an attacker-controlled SIM card, allowing interception of authentication messages.

The technical execution involves several steps. First, attackers gather personal information through open-source intelligence (OSINT), data breaches, or social engineering. Armed with this information, they contact mobile carriers, impersonating the victim and exploiting weak verification procedures that often rely on easily obtainable personal details. After successful SIM activation, attackers receive all calls and SMS messages sent to the victim's number, including MFA codes. More sophisticated actors may also exploit vulnerabilities in the SS7 network protocol to intercept SMS messages without requiring a physical SIM swap, making detection even more difficult.

High-profile victims have included Twitter CEO Jack Dorsey, cryptocurrency investors, and numerous public figures, with losses often in the millions for cryptocurrency heists.

OAuth attacks exploit the trust relationship between services, bypassing MFA entirely by obtaining authentication tokens through deceptive application consent requests.

The technical approach involves creating malicious third-party applications with names and logos closely resembling legitimate services. These applications request extensive permissions through OAuth consent screens, which may appear legitimate to unsuspecting users. Once consent is granted, the attacker obtains OAuth tokens that often don't require additional MFA verification for future access. These access tokens can then be used for lateral movement within systems, data exfiltration, or establishing persistent access that survives password changes and other security measures.

In 2023, Microsoft reported the "Storm-0558" threat actor exploiting OAuth tokens to access email accounts of government agencies without needing to complete MFA challenges, highlighting the real-world effectiveness of this technique.

After a user completes legitimate authentication (including MFA), their session is maintained via browser cookies or tokens. Attackers target these session artifacts rather than the authentication process itself.

Technically, attackers employ several methods to steal session data. These include information-stealing malware such as Redline or Racoon Stealer that specifically target browser data stores; Man-in-the-Browser (MitB) attacks using malicious browser extensions or injected JavaScript; Cross-Site Scripting (XSS) exploits to steal cookies from vulnerable web applications; and exploitation of unpatched endpoint vulnerabilities to gain access to stored browser data. Once obtained, stolen session data can be used with specialized tools like Cookie Monster or Browser-in-the-Browser attacks to impersonate the authenticated user without needing to complete the MFA process again.

In 2022, the Lapsus$ group used cookie theft as part of their campaign against multiple technology companies, demonstrating how valuable authenticated sessions are to attackers seeking to bypass security controls.

Beyond bypassing MFA, attackers also target flaws in MFA implementations themselves.

The technical vulnerabilities exploited include race conditions in authentication workflows that allow for timing attacks; improper session handling where MFA can be bypassed by manipulating session parameters; default or bypass mechanisms intended for recovery purposes that can be abused; API vulnerabilities in identity providers that allow for manipulation of the authentication workflow; and insecure SAML implementations susceptible to XML signature attacks that can allow unauthorized access.

In 2020, researchers discovered a vulnerability in Microsoft's MFA implementation that allowed attackers to bypass authentication by manipulating the server-client communication during the verification process. This particular vulnerability demonstrated how even major vendors can introduce implementation flaws that undermine the security of MFA systems.

Organizations typically implement account recovery procedures that can become vectors for bypassing MFA.

The technical approach involves researching recovery procedures for specific services, understanding their verification requirements, and preparing to exploit weaknesses in these processes. Attackers directly target help desk or IT support staff, exploiting human empathy and creating pressure situations that may lead staff to bypass normal security procedures. In other cases, attackers focus on self-service recovery options where verification methods may be weaker than the primary MFA mechanism, providing an easier path to account compromise.

The 2020 Twitter compromise illustrated this technique's effectiveness when attackers successfully social engineered Twitter employees to access internal administrative tools that could reset accounts and bypass MFA protections, leading to the compromise of high-profile accounts.

To protect against these sophisticated bypass techniques, organizations should implement a defense-in-depth approach that addresses multiple layers of security:

 

Organizations should prioritize deployment of FIDO2/WebAuthn-compliant solutions wherever possible, as these authentication standards were specifically designed to resist phishing attacks through cryptographic binding to specific origins. For high-privilege accounts with access to sensitive systems or data, hardware security keys provide the strongest protection against MFA bypass attempts. Generally, security teams should prioritize possession-based factors (something you have) over knowledge-based factors (something you know), as the former are significantly more resistant to common attack techniques.

Modern MFA solutions should be configured to enforce number matching for push notifications rather than simple "Approve/Deny" options, requiring users to enter a number displayed on the login screen into their authenticator app. Organizations should implement conditional access policies that evaluate device health, location data, and risk signals before granting access. For sensitive operations, even within an authenticated session, requiring re-authentication adds an important layer of protection. Security teams should also eliminate or strictly limit exceptions to MFA policies and disable legacy authentication protocols that cannot support modern MFA.

Organizations need robust monitoring systems that implement behavioral analytics to detect unusual authentication patterns that may indicate bypass attempts. These systems should monitor for impossible travel scenarios (such as logins from geographically distant locations in short timeframes), authentication from new devices, or access attempts at unusual times. Security operations teams should create alerts for suspicious patterns such as high volumes of failed MFA attempts or multiple successful logins from different locations, which often indicate active attack attempts.

To reduce the risk of session hijacking, organizations should implement shorter session timeouts for sensitive applications, balancing security with usability concerns. Web applications should be configured to use secure cookie flags, including Secure (ensuring cookies are only sent over HTTPS), HttpOnly (preventing JavaScript access to cookies), and SameSite (limiting cross-site request forgery attacks). For users with access to highly sensitive information, browser isolation technologies can provide additional protection by separating browsing activity from the endpoint device.

Organizations must focus on securing account recovery procedures by training support staff to recognize social engineering techniques and resist manipulation attempts. Implementing strict verification procedures for account recovery that require multiple forms of identity verification can significantly reduce the risk of unauthorized access. For privileged accounts, requiring multiple approvers for MFA resets creates a separation of duties that makes social engineering attacks much more difficult to execute successfully.

Effective security requires knowledgeable users who understand the threats they face. Organizations should train users to recognize MFA fatigue attacks and establish clear procedures for reporting suspicious authentication requests. When users suspect their accounts may be compromised, they need clear procedures for reporting these concerns and getting assistance. Regular testing through simulated phishing campaigns that include MFA bypass scenarios helps reinforce training and identify areas where additional education may be needed.

While MFA significantly improves security posture, no single technology is immune to all attacks. As this analysis demonstrates, determined adversaries continue to develop sophisticated techniques to bypass even the strongest authentication controls.

Organizations must stay informed about emerging bypass techniques and implement a layered defense strategy that combines technical controls, policy enforcement, detection capabilities, and user education. By understanding how attackers target MFA systems, security leaders can make informed decisions about which technologies to deploy and how to configure them for maximum effectiveness.

The most resilient authentication systems combine phishing-resistant MFA technologies with strong security policies, regular assessment, continuous monitoring, and an educated user base prepared to recognize and report suspicious authentication activities.