Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Microsoft

How Are Attackers Bypassing MFA and What Can I Do?

Quick Answer

MFA raises the bar but doesn't stop determined attackers. They're using adversary-in-the-middle phishing, MFA fatigue attacks, session token theft, and SIM swapping. Stronger authentication methods, conditional access, and identity threat detection are the answer.

How MFA Is Being Bypassed

1. Adversary-in-the-Middle (AiTM) Phishing

How it works:

  • Attacker creates phishing site that proxies to real login page
  • User enters credentials AND MFA code
  • Attacker captures session token after authentication completes
  • Attacker uses token to access account—no MFA prompt for them
Why it works: The user authenticates fully. The attacker steals the authenticated session.

Scale: AiTM phishing kits are commodity tools. Thousands of these attacks happen daily.

2. MFA Fatigue (Prompt Bombing)

How it works:

  • Attacker has valid credentials (from breach, phishing, etc.)
  • Attacker repeatedly triggers MFA push notifications
  • User gets frustrated or confused
  • User eventually approves to make it stop
Why it works: Humans get tired. Push notifications don't say what's being approved.

Defence: Number matching (user must enter code shown on screen, not just approve).

3. Session Token Theft

How it works:

  • Malware on device steals session cookies
  • Attacker uses cookies to access authenticated sessions
  • No login needed—session is already authenticated
Why it works: Once authenticated, sessions rely on tokens. Steal the token, skip authentication.

4. SIM Swapping

How it works:

  • Attacker convinces mobile carrier to transfer victim's number
  • SMS verification codes go to attacker
  • Attacker can reset passwords and receive MFA codes
Why it works: SMS MFA relies on controlling a phone number, not proving identity.

Defence: Don't use SMS for MFA. Use authenticator apps or hardware keys.

5. Social Engineering

How it works:

  • Attacker calls helpdesk pretending to be user
  • Claims to be locked out, lost phone, etc.
  • Helpdesk resets MFA or provides bypass
Why it works: Helpdesks are trained to help. Attackers exploit that.

Defence: Strong identity verification for sensitive account changes.

Stronger Authentication

Phishing-resistant MFA

FIDO2/WebAuthn (hardware keys, passkeys):

  • Cryptographically bound to legitimate site
  • Can't be phished—won't work on fake sites
  • Best protection against AiTM attacks
Windows Hello for Business:
  • Certificate-based, device-bound
  • Phishing-resistant for Windows environments

Number matching

Requires user to enter code from login screen into authenticator app. Prevents blind approval of push notifications.

Now default in Microsoft Authenticator. If you haven't enabled it, do so immediately.

Conditional Access

Risk-based authentication:

  • Detect anomalous sign-in patterns
  • Require step-up authentication for risky logins
  • Block impossible travel scenarios
  • Require compliant device for sensitive access
Location and device policies:
  • Restrict access to managed devices
  • Block high-risk locations
  • Require specific authentication strength by resource

Identity threat detection

Monitor for compromise indicators:

  • Anomalous sign-in patterns
  • Token replay attempts
  • Suspicious MFA activity
  • Compromised credential detection
Microsoft Entra ID Protection provides this for M365 environments.

Action Plan

Immediate

  • Enable number matching for MFA push
  • Block legacy authentication (protocols that bypass MFA)
  • Review admin account MFA methods

Short-term

  • Implement Conditional Access policies
  • Enable identity protection alerts
  • Require managed devices for sensitive access

Medium-term

  • Deploy phishing-resistant MFA (FIDO2 keys for admins, passkeys for users)
  • Implement continuous access evaluation
  • Deploy identity threat detection

What We Implement

For managed clients:

  • Conditional Access configured for real protection, not just compliance
  • Number matching enabled by default
  • Identity Protection alerts monitored and actioned
  • Phishing-resistant MFA for privileged accounts
  • Legacy auth blocked
MFA is essential but not sufficient. Modern identity protection requires layered defences.

Related Questions