MFA Bypass Techniques: What Security Teams Need to Know

Multi-factor authentication (MFA) has become the baseline security control for protecting user accounts. However, threat actors have developed increasingly sophisticated techniques to bypass MFA entirely. Understanding these bypass methods is critical for security teams evaluating their authentication posture.

Technique 1: Adversary-in-the-Middle (AiTM) Phishing

AiTM phishing is the most prevalent MFA bypass technique in 2025. It works by proxying the authentication flow in real-time:

1. Attacker sends phishing email with link to a reverse proxy (Evilginx, Modlishka, Muraena)
2. Victim clicks link and sees a pixel-perfect copy of the real login page
3. Victim enters username, password, and MFA code — all forwarded to the real service in real-time
4. The proxy captures the authenticated session cookie after MFA validation completes
5. Attacker replays the session cookie from their own browser — MFA completely bypassed

Detection: Monitor for logins where the session was established from a different IP/ASN than the one that completed MFA. Implement token binding and conditional access policies.

Technique 2: SIM Swapping

SMS-based MFA is vulnerable to SIM swapping attacks:

• Attacker social engineers the victim's mobile carrier into transferring their phone number to an attacker-controlled SIM card
• All SMS-based MFA codes are now delivered to the attacker
• Often combined with credentials obtained from stealer logs or phishing

Mitigation: Eliminate SMS-based MFA entirely. Migrate to authenticator apps (TOTP) or hardware security keys (FIDO2/WebAuthn).

Technique 3: Session Cookie Theft via Infostealers

Infostealer malware harvests authenticated session cookies from the victim's browser:

• Cookies are extracted after the user has already completed MFA
• Attacker imports cookies into their browser and gains authenticated access without ever needing credentials or MFA
• Particularly effective against cloud services (Microsoft 365, Google Workspace, Salesforce)

Detection: SIA Monitor alerts when your organization's credentials and cookies appear in stealer log databases. Implement continuous access evaluation policies (CAE) that detect session anomalies.

Technique 4: MFA Fatigue / Push Bombing

Used against push-notification MFA (Microsoft Authenticator, Duo):

• Attacker has the victim's password (from phishing or stealer logs)
• Repeatedly triggers MFA push notifications until the victim accidentally approves or approves out of frustration
• Often combined with social engineering — attacker calls victim posing as IT support, asking them to approve the push

Mitigation: Enable number matching in push MFA. Require the user to enter a displayed number rather than simply tapping "Approve." Microsoft now enforces this by default.

Technique 5: OAuth Consent Phishing

Bypasses MFA entirely by obtaining authorized API access:

• Attacker registers a malicious OAuth application
• Victim is tricked into granting the application permissions (read email, access files)
• The app receives an OAuth token that provides ongoing access without requiring credentials or MFA
• Persists even after password rotation

Mitigation: Restrict OAuth app consent to admin-approved applications only. Audit existing OAuth grants regularly for suspicious third-party applications.

Technique 6: Passkey/FIDO2 Downgrade

When organizations offer multiple MFA methods, attackers target the weakest option:

• Even if FIDO2 is available, attackers can often fall back to SMS or email OTP
• Social engineering help desk personnel to add alternative MFA methods to compromised accounts

Mitigation: Enforce FIDO2/passkeys as the only permitted MFA method for high-value accounts. Disable fallback authentication methods for privileged users.

Defensive Strategy

A comprehensive MFA hardening strategy includes:

1. Deploy phishing-resistant MFA — FIDO2 security keys or passkeys that are cryptographically bound to the legitimate domain
2. Implement conditional access — Require managed devices, compliant security posture, and trusted network locations
3. Monitor for credential exposure — SIA Monitor detects stolen session cookies before they're weaponized
4. Continuous access evaluation — Terminate sessions in real-time when risk signals change (impossible travel, new device)
5. Help desk verification — Implement identity verification procedures for MFA reset requests to prevent social engineering

How SIA Force Helps

Even with MFA deployed, credential theft remains a threat. SIA Monitor tracks the theft of session cookies and tokens via stealer logs, alerting your team to initiate immediate session revocation.