MFA Is Not Enough — 5 Ways Attackers Bypass Multi-Factor Authentication

The False Sense of Security

Multi-factor authentication has become the de facto standard for securing enterprise accounts. IT teams deploy it, auditors demand it, and cyber insurance policies require it. The assumption: if an attacker steals a password, the second factor will stop them.

That assumption is dangerously wrong.

In 2025 alone, Microsoft reported that over 10,000 organizations were targeted by adversary-in-the-middle (AiTM) phishing campaigns that bypassed MFA entirely. The Lapsus$ group breached Uber, Okta, and Rockstar Games — all protected by MFA. The MGM Resorts hack in September 2023, which caused over $100 million in damages, started with a simple social engineering call to the help desk that circumvented MFA controls.

This article breaks down five real-world techniques that threat actors actively use to defeat MFA — and what you can do about each one.

1. Adversary-in-the-Middle (AiTM) Phishing

How it works: The attacker sets up a reverse proxy between the victim and the legitimate login page. The user sees the real Microsoft 365 or Google Workspace interface — including the MFA prompt. They enter their password, approve the push notification, or type their TOTP code. The proxy relays everything in real time to the genuine server, captures the resulting session cookie, and hands it to the attacker. The user is logged in. So is the attacker.

Real-world tools: Open-source frameworks like EvilGinx2, Modlishka, and Muraena make this trivially easy to deploy. These are not theoretical tools — they are actively used in attacks documented by Microsoft Threat Intelligence, Zscaler ThreatLabz, and Group-IB.

Why it's effective: Every MFA method that relies on the user authenticating through a browser — push notifications, TOTP codes, SMS codes — is vulnerable to AiTM. The proxy sits between user and server; it doesn't need to break the second factor, it simply relays it.

Defense: Hardware security keys with FIDO2/WebAuthn are the only MFA method that resists AiTM phishing, because the key cryptographically binds to the legitimate domain. A proxy on a different domain cannot complete the handshake. Additionally, monitor for token theft indicators: logins from mismatched IPs, sudden geo-impossible travel, and new device enrollments.

2. MFA Fatigue (Push Notification Bombing)

How it works: The attacker already has the victim's username and password — typically from a credential leak on the dark web. They initiate login attempts in rapid succession, triggering a flood of push notifications on the victim's phone. After dozens of "Did you just try to log in?" alerts — often at 2 AM — the user taps "Approve" just to make them stop.

Real-world case: This is exactly how the Lapsus$ group breached Uber in September 2022. The attacker bombarded an Uber contractor with push requests, then contacted them via WhatsApp posing as IT support, claiming the only way to stop the alerts was to approve one. The contractor complied. From there, the attacker pivoted to internal Slack, source code repositories, and admin dashboards.

Defense: Enforce number matching (the user must type a code shown on the login screen into the app). Microsoft Authenticator, Okta, and Duo all support this. Set alert thresholds: more than 3 denied push requests in 5 minutes should trigger an automatic account lockout and a SOC alert.

3. SIM Swapping

How it works: The attacker contacts the victim's mobile carrier — by phone, via a retail store, or through a compromised carrier employee — and convinces them to transfer the victim's phone number to a new SIM card. Once the number is ported, the attacker receives all SMS messages, including one-time passcodes. The victim's phone goes silent.

Scale of the problem: The FBI's IC3 received 2,026 SIM swapping complaints in 2022, with adjusted losses exceeding $72 million — and these are only the reported cases. In January 2024, the SEC's official X (Twitter) account was hijacked via SIM swap, leading to a fake Bitcoin ETF approval tweet that temporarily moved crypto markets. High-value targets — executives, crypto holders, IT administrators — are disproportionately targeted.

Why it still works: Despite years of warnings, most mobile carriers still have weak identity verification for SIM transfers. Insider corruption at carriers is also documented: in 2023, a T-Mobile employee was charged with performing unauthorized SIM swaps for a criminal group.

Defense: Never use SMS as a second factor for critical systems. Migrate to authenticator apps or FIDO2 keys. For accounts that still require a phone number, set carrier PINs and request a port-out freeze. Monitor dark web forums for leaked phone numbers and carrier account details of your employees.

4. Session Hijacking and Token Theft

How it works: MFA protects the login moment — but not the session that follows. Once a user authenticates, the application issues a session token (cookie). If an attacker steals that token, they inherit the authenticated session without ever touching the MFA flow.

Attack vectors: Infostealers like RedLine, Raccoon, and Lumma are the primary delivery mechanism. These malware families are sold as a service on dark web markets for as little as $150/month. They harvest browser cookies, saved passwords, and session tokens from infected endpoints. A single infostealer infection can exfiltrate active sessions for Microsoft 365, Google Workspace, Salesforce, and dozens of SaaS applications — all in under 60 seconds.

Scale: According to Flare Systems and Hudson Rock, over 20 million devices were infected with infostealers in 2024. The stolen sessions are traded on specialized dark web markets like Russian Market and Genesis Market (seized by the FBI in 2023 but since replaced by successors). One compromised session to a corporate Microsoft 365 tenant can sell for $10–$50.

Defense: Enforce Conditional Access policies that bind sessions to device compliance and IP ranges. Reduce session token lifetimes for sensitive applications. Deploy EDR solutions to detect infostealer infections. Most critically: monitor dark web markets for stolen credentials and session tokens tied to your corporate domains — this is where early detection buys you response time before the token is used.

5. Social Engineering the Help Desk

How it works: The attacker calls the IT help desk, impersonates an employee, and requests an MFA reset. "I got a new phone and can't access my authenticator." With enough publicly available information — employee name, email address, manager's name, employee ID from a LinkedIn post — the social engineer passes basic identity verification. The help desk resets MFA. The attacker enrolls their own device.

Real-world case: The September 2023 MGM Resorts breach — one of the most expensive cyber incidents in recent history — began with a 10-minute phone call to the help desk. The Scattered Spider group identified an MGM employee on LinkedIn, called the IT support line, and convinced the agent to reset the employee's credentials. From that single reset, the attackers moved laterally to MGM's Okta and Azure AD environments, deployed ransomware, and shut down casino operations across Las Vegas. Total estimated damage: over $100 million.

Why it keeps working: Help desks are optimized for speed, not security. Agents handle hundreds of requests per day. Identity verification is often limited to questions whose answers are available on social media. Under pressure to maintain service levels, agents reset MFA without robust verification.

Defense: Implement callback verification to pre-registered phone numbers. Require video identity verification for MFA resets. Use identity-proofing solutions like those from Okta or Microsoft Entra Verified ID. Train help desk staff specifically on social engineering scenarios — including the "new phone" and "locked out executive" pretexts.

The Bigger Picture: Why MFA Alone Fails

None of these five techniques are theoretical. They are used in active campaigns, by groups ranging from nation-state actors to financially motivated ransomware gangs. The common thread: MFA protects a single moment — the authentication event. Attackers have learned to attack everything around that moment: the user's psychology, the session after login, the help desk that resets credentials, the carrier that controls the phone number.

A defense-in-depth approach is essential:

• Phishing-resistant MFA: FIDO2 security keys for privileged and high-risk accounts
• Conditional Access: Bind sessions to managed devices and trusted networks
• Credential monitoring: Detect stolen passwords and session tokens on the dark web before they are weaponized
• Infostealer detection: EDR/XDR plus dark web monitoring for exfiltrated cookies and tokens
• Help desk hardening: Identity-proofing for all credential and MFA reset requests
• Continuous session evaluation: Anomaly detection for session tokens used from unexpected locations or devices

Your Credentials May Already Be Compromised

Most organizations only learn about stolen credentials after the breach. Blackveil monitors dark web markets, infostealer logs, and credential dumps continuously — and alerts you the moment your corporate domains, email addresses, or session tokens surface.

A Blackveil Dark Web Analysis shows you within 24 hours which of your company's credentials are actively circulating — and which of the five attack methods above your organization is most vulnerable to.

Request your free Dark Web Analysis now — and find out what attackers already know about your organization.