How Cybercriminals Bypass MFA: The Reality of Modern Identity Attacks

MFA Weakness Blog Post image

Summary

This blog explores the growing misconception that Multi-Factor Authentication (MFA) alone guarantees cybersecurity protection. It examines how modern attackers bypass MFA through session hijacking, OAuth abuse, phishing kits, weak Conditional Access policies, and social engineering tactics. The article breaks down the different types of MFA from weakest to strongest, including SMS, authenticator apps, FIDO2 security keys, and passkeys. It also highlights recent breach trends and explains why organizations must adopt layered identity security strategies that combine phishing-resistant MFA, monitoring, incident response, and ongoing security awareness training for employees and executives.

Why identity security needs more than a second factor

The assumption that needs challenging

Enabling multi-factor authentication has become a standard milestone for organisations measuring their security maturity. In audits, boardroom reviews, and compliance conversations, it often functions as a checkbox that, once ticked, moves the discussion on.

As our CTO Barry Rooney puts it: “In almost every audit I have been involved with, there is a near-religious belief that MFA means you cannot be hacked. It is simply not accurate.”

The problem is that attackers have not stood still.

MFA remains one of the most impactful controls in cybersecurity. Organisations without it are significantly more exposed, and that has not changed. But the assumption that MFA alone closes the identity security gap is creating a dangerous blind spot. Threat actors are no longer focused on bypassing the second factor directly. They are targeting what sits around it: sessions, authentication flows, weak policies, and people.

How attackers have moved on

The most significant shift in recent years is the rise of Adversary-in-the-Middle phishing. These attacks do not try to crack MFA. They proxy the login process in real time, stealing the authenticated session token after the user has successfully completed the MFA challenge. At that point, the attacker does not need credentials. The identity provider has already done the validation.

The scale of this threat became sharply visible earlier this year when a coordinated public-private operation dismantled one of the world’s most prolific phishing-as-a-service platforms. Known as Tycoon 2FA, it was designed specifically to help attackers compromise accounts protected by MFA and steal session cookies, and was responsible for tens of millions of fraudulent emails and almost tens of thousands of confirmed victims globally. Its key mechanism was a transparent proxy: a fake login page that forwarded credentials and one-time passwords to the real site in real time, capturing a fully authenticated session before the victim realised anything was wrong. Access to this off-the-shelf phishing kit was available via private Telegram channels for roughly $120 per month, allowing even those with limited technical expertise to run sophisticated account-takeover campaigns at scale.

MFA technically worked exactly as designed. Organisations were still compromised.

OAuth and device code abuse: a threat hiding in plain sight

A separate and increasingly active threat involves the abuse of legitimate OAuth and device code authentication flows. Security researchers have warned that attackers are abusing the OAuth device authorisation flow to steal Microsoft 365 access tokens, enabling stealthy account takeovers that bypass traditional phishing defences. In a typical campaign, victims receive phishing emails containing links, attachments, or QR codes, often impersonating trusted brands such as Microsoft, DocuSign, or Adobe.

The operators behind Tycoon 2FA have now adopted this method too. The Tycoon 2FA group has pivoted to OAuth device code phishing as an additional technique for bypassing MFA protections. This surge in device code phishing is closely tied to the public release of criminal toolkits and phishing-as-a-service platforms, making the once obscure technique widely accessible. New kits are appearing almost weekly, many refined using AI-assisted development, allowing attackers to replicate or modify existing tools and produce near-identical attack chains at scale.

These attacks are particularly difficult to detect because they abuse legitimate Microsoft infrastructure and generate fewer traditional security alerts. Users believe they are completing normal authentication. By the time anyone notices, the attacker has a valid, authenticated session.

Not all MFA is equal

There is a widespread assumption that any MFA is good MFA. The reality is more nuanced.

SMS-based authentication is vulnerable to SIM swapping, SS7 interception, and social engineering. Email-based verification is only as strong as the email account itself. Basic push notifications introduced the problem of MFA fatigue, where attackers repeatedly send approval requests until an exhausted user accepts one. These methods still offer more protection than a password alone, but they are far from resilient.

TOTP authenticator apps provide stronger protection but can still be intercepted through real-time phishing proxies. Push notifications with number matching reduce the fatigue risk meaningfully. At the stronger end, FIDO2 hardware security keys and passkeys use cryptographic authentication tied to trusted domains, making most phishing and session replay attacks significantly harder to execute. Not all MFA is created equal, and relying on SMS-based authentication in particular carries well-documented risks that many organisations still underestimate.

Conditional access is where many organisations are exposed

During incident response and security assessment work, weak or permissive conditional access policies appear repeatedly as the real point of failure. Common gaps include allowing access from unmanaged devices, excluding executives from MFA enforcement, maintaining broad VPN trust, leaving legacy authentication protocols active, and building excessive policy exceptions that accumulate over time.

As Barry notes from direct experience in the field: “We have seen in recent incident response engagements that MFA can be circumvented by exploiting weak conditional access rules with something as basic as a VPN. Enabling MFA is an important step. Believing it is the last step is where organisations get into trouble.”

Attackers exploit these gaps routinely using residential proxies, VPN services, and session cookie theft. A policy that trusts logins from a specific country is straightforward to circumvent by routing traffic through a local endpoint. The policy passes. The attacker gets access.

Legacy authentication is particularly problematic. Older protocols frequently bypass modern MFA controls entirely and remain an active attack vector in many enterprise environments.

Identity is where the real battle is being fought

Traditional network perimeters have largely dissolved. Cloud services, remote work, SaaS adoption, and hybrid infrastructure have shifted the focus of attackers toward identity systems. Compromising a trusted identity today means email access, cloud application access, file storage, collaboration platforms, and often administrative privileges. That is a significant foothold from a single point of failure.

This is why identity security now deserves the same maturity and investment as endpoint security and network monitoring. Organisations need visibility into authentication behaviour, session anomalies, OAuth abuse, suspicious device registrations, and privilege escalation, not just endpoint alerts and firewall logs. Identity Threat Detection and Response is no longer a specialist concern. It is a mainstream requirement.

What strong identity security actually looks like

Mature identity security is not one control. It is a set of layered defences working together.

That means moving toward phishing-resistant MFA methods where possible, hardening conditional access policies with device compliance checks and risk-based controls, actively monitoring for session abuse and token theft, eliminating legacy authentication protocols, and building genuine detection and response capabilities around identity.

It also means ensuring that endpoint protection does not operate in isolation. Detecting a compromised session or an unusual authentication event at 2am on a Tuesday is only possible if someone is watching. That is why 24/7 monitoring through a Managed SOC or MDR service is a core part of a mature security posture, not an optional add-on. Threats do not keep business hours, and the window between initial access and significant damage can close very quickly without continuous visibility across your environment.

It also means taking security awareness seriously. Attackers are increasingly targeting people rather than technology, and executives are a particularly attractive target given their access levels and the pressure they operate under. Awareness training that covers phishing recognition, MFA fatigue tactics, OAuth consent abuse, and device code scams is not a nice-to-have. It is a meaningful line of defence.

Technical controls and educated users are not alternatives. They work together.

The right way to think about MFA

MFA is not the problem. The problem is treating it as the destination.

Every security control has limits. Firewalls can be bypassed. EDR tools can be evaded. Email filters fail. MFA can be circumvented through session theft, weak configuration, and social engineering. That does not make any of these controls worthless. It makes the case for layered defence rather than single-point confidence.

The takedown of Tycoon 2FA was welcome news, but the cybercrime industry abhors a vacuum. Other criminal operators are likely to fill the void quickly. The techniques are documented, the toolkits are accessible, and the attack surface has not shrunk.

MFA is one important part of a broader identity security strategy. Organisations that understand it in those terms are far better positioned than those that treat it as a problem solved.

Sources: GBHackers | Cryptika / CybersecurityNews | Bitdefender Hot for Security