MFA Bypass Attacks: How They Work and How to Defend Against Them
Multi-factor authentication stops the vast majority of credential-stuffing and password-spray attacks. But sophisticated attackers have moved past that layer. Adversary-in-the-middle phishing proxies, MFA fatigue campaigns, SIM swapping, and session cookie theft all bypass MFA without ever needing the user's password or one-time code. Understanding how each technique works is the prerequisite to choosing defenses that actually close the gap.
Adversary-in-the-Middle (AiTM) Phishing
AiTM phishing is the dominant MFA bypass technique used in large-scale campaigns. The attacker deploys a reverse proxy (Evilginx2, Modlishka, Muraena) between the victim and the legitimate authentication service. The victim navigates to a convincing phishing page, enters credentials, and completes MFA. The proxy relays everything to the real service in real time, capturing both the credentials and the authenticated session cookie. The attacker then uses the session cookie to access the account without needing credentials or MFA codes again. Microsoft 365 and Google Workspace are the primary targets. The Scattered Spider group used AiTM extensively in their 2023-2024 campaigns against MGM, Caesars, and multiple technology companies. Defenders detect AiTM attacks by monitoring for impossible travel (session authenticated from one geography, then immediately used from another), new device fingerprints appearing on authenticated sessions, and anomalous token refresh patterns.
MFA Fatigue (Push Bombing)
MFA fatigue exploits push notification MFA. The attacker obtains valid credentials (through phishing or credential databases) and repeatedly sends MFA push notifications to the victim's device, often at 2 AM or during busy work periods. The victim, confused or annoyed, eventually approves the request. Uber's 2022 breach began this way: an attacker sent repeated Duo push notifications and then contacted the victim on WhatsApp claiming to be from IT, convincing them to approve the push. Mitigations: switch from push approval to number matching (the user must enter the number displayed in the app) or FIDO2. Number matching alone eliminates most MFA fatigue attacks because the victim cannot approve without the number shown in the legitimate login flow.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
SIM Swapping
SIM swapping targets SMS-based MFA by convincing a carrier to transfer the victim's phone number to an attacker-controlled SIM. The attacker calls the carrier pretending to be the victim, provides enough personal information (often sourced from data breaches or social media), and requests a SIM transfer. Once the number is transferred, SMS OTPs and voice calls go to the attacker. High-profile targets include cryptocurrency holders (where SIM swaps have resulted in millions in losses) and executives. Defenses: eliminate SMS MFA entirely for any account containing sensitive data. Carriers offer SIM swap protections (port freeze, customer PIN requirements) but these are inconsistently enforced. For high-risk individuals, consider eSIM with carrier-level PIN protection.
Session Cookie Theft
Post-authentication session cookie theft bypasses MFA by stealing the authenticated session rather than the credentials. Infostealer malware (Redline, Raccoon, Lumma) harvests browser session cookies from infected endpoints and exfiltrates them to attacker infrastructure. The attacker imports the cookie into a browser and inherits the authenticated session, including any MFA-verified state. This technique is responsible for numerous cloud account compromises where no phishing email was ever sent. Mitigations: token binding (binding session tokens to the specific device or TLS connection), continuous access evaluation that checks device health during the session, EDR that detects cookie theft behaviors, and short session token lifetimes that force re-authentication frequently.
The Only Reliable Defense: Phishing-Resistant MFA
NIST and CISA both designate only two MFA methods as phishing-resistant: FIDO2/WebAuthn (hardware security keys, passkeys) and certificate-based authentication (PIV/CAC). Phishing-resistant MFA binds the authentication to the specific origin (domain) being accessed. An AiTM proxy cannot relay a FIDO2 challenge because the origin check fails: the authentication is bound to the legitimate domain, and a proxy URL is a different origin. For consumer-facing accounts: passkeys stored in platform authenticators (Apple iCloud Keychain, Google Password Manager) provide phishing resistance with no hardware required. For enterprise: Yubikey, Google Titan, or FIDO2-certified authenticators. For privileged access: hardware security keys should be mandatory with no fallback to OTP or SMS.
Defense in Depth Beyond MFA Method
Even with phishing-resistant MFA, apply these additional controls:
Continuous access evaluation
Microsoft CAE and Google BeyondCorp re-evaluate session validity continuously, not just at login. A session from a compromised device gets terminated even if it was authenticated legitimately.
Token lifetime reduction
Shorten access token lifetimes for sensitive applications. Short-lived tokens reduce the window of opportunity if a session cookie is stolen.
Anomalous session detection
Alert on sessions authenticated from one location and used from another within minutes (impossible travel) or sessions using device fingerprints not seen in the past 30 days.
Number matching for push MFA
If you cannot immediately move to phishing-resistant MFA, enable number matching in Duo, Microsoft Authenticator, and Okta Verify. It eliminates most MFA fatigue attacks without requiring hardware.
Eliminate SMS MFA for sensitive accounts
SMS OTP should not be used for any account with access to sensitive data. Replace it with TOTP (authenticator app) at minimum, FIDO2 for privileged accounts.
The bottom line
MFA bypass is a solved problem: phishing-resistant authentication (FIDO2/passkeys) prevents AiTM phishing, MFA fatigue, and most session hijacking techniques simultaneously. The cost is deploying hardware keys or enabling passkeys. The cost of not doing it is demonstrated daily in breach reports.
Frequently asked questions
Does Microsoft Authenticator protect against AiTM phishing?
Standard push notification MFA in Microsoft Authenticator does not protect against AiTM phishing because the attacker's proxy relays the authentication flow in real time. Number matching significantly reduces MFA fatigue attacks. Only using Authenticator with FIDO2 (passwordless phone sign-in with a phishing-resistant credential) or a hardware security key fully protects against AiTM. Microsoft's Conditional Access policies can also block legacy authentication protocols that bypass MFA entirely.
What is the difference between TOTP and FIDO2?
TOTP (Time-based One-Time Password, used in Google Authenticator and Authy) generates a six-digit code that a user types in. It is vulnerable to AiTM phishing because the attacker's proxy can relay the code in real time before it expires. FIDO2/WebAuthn uses public-key cryptography bound to a specific origin (domain). The authentication cannot be relayed to a different domain, making it inherently phishing-resistant. FIDO2 is significantly stronger than TOTP.
What is Evilginx and how do defenders detect it?
Evilginx2 is an open-source AiTM phishing framework that acts as a reverse proxy to capture credentials and session cookies in real time. Defenders detect Evilginx-based attacks through: monitoring for new ASN or IP ranges appearing in session tokens after authentication, impossible travel alerts, token binding that detects proxy-relayed sessions, and threat intelligence feeds that track known Evilginx infrastructure IP ranges.
Should we still deploy MFA if it can be bypassed?
Absolutely. MFA still blocks the overwhelming majority of attacks (credential stuffing, password spray, brute force). AiTM and other bypass techniques require significantly more attacker effort and targeting. The question is whether your threat model includes sophisticated, targeted attackers: if yes, prioritize phishing-resistant MFA. For most organizations, any MFA is dramatically better than no MFA, and phishing-resistant MFA is better still.
How do passkeys prevent AiTM phishing?
Passkeys use FIDO2/WebAuthn, which binds authentication to a specific origin. When you register a passkey on accounts.google.com, the credential is cryptographically tied to that exact domain. If an AiTM phishing proxy serves a fake page at accounts.google.evil.com, the passkey assertion will fail because the origin does not match. The attacker cannot relay a valid FIDO2 assertion from a different domain. This is why CISA designates FIDO2 as phishing-resistant and TOTP as not.
What should we do if we cannot deploy FIDO2 hardware keys immediately?
Prioritize in this order: (1) Enable number matching on all push MFA to eliminate MFA fatigue. (2) Disable SMS MFA for all accounts with sensitive data access. (3) Implement Conditional Access policies that block legacy authentication. (4) Deploy passkeys (software-based FIDO2) for high-value accounts, which requires no hardware. (5) Purchase hardware security keys for privileged access accounts as the first hardware deployment. This sequence delivers significant risk reduction while you complete a full hardware rollout.
Sources & references
- Microsoft Digital Defense Report 2025
- Okta Businesses at Work 2025
- CISA Phishing-Resistant MFA Fact Sheet
- Mandiant M-Trends 2025
- FBI IC3 Internet Crime Report 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.