Phishing Evolution: How Attackers Are Bypassing MFA
Multi-Factor Authentication is no longer a silver bullet. Understand AiTM phishing, MFA fatigue, and how to protect your workforce.
The MFA False Sense of Security
For years, the security advice has been: "Turn on Multi-Factor Authentication (MFA), and you'll be safe."
While MFA drastically reduces the likelihood of account takeover, it is not invincible. Attackers have evolved their tactics to bypass standard MFA mechanisms.
Tactic 1: Adversary-in-the-Middle (AiTM) Phishing
AiTM is currently the most prevalent method for bypassing MFA.
Instead of directing a user to a fake login page that just steals the password, the attacker uses a reverse proxy (like Evilginx).
- The user visits the phishing site.
- The proxy forwards the user's login request to the real Microsoft or Google login page.
- The user enters their password and MFA code.
- The real service authenticates the user and returns a valid session cookie.
- The proxy intercepts the session cookie and forwards it to the attacker, while passing the user through to the real application.
The attacker now has a valid session cookie and doesn't need the password or MFA device!
Tactic 2: MFA Fatigue (Prompt Bombing)
Attackers acquire a user's password and repeatedly trigger push notification MFA prompts late at night. The goal is to annoy the user until they accidentally (or intentionally, out of frustration) click "Approve." This tactic was notably used in several high-profile breaches.
How to Defend
- FIDO2 / WebAuthn: Upgrade to phishing-resistant MFA, such as YubiKeys or Windows Hello. These protocols tie the authentication to the specific domain, making AiTM proxy attacks impossible.
- Number Matching: If using push notifications, enable "number matching," which requires the user to type a number shown on their screen into their phone, neutralizing MFA fatigue attacks.
Find your vulnerabilities before attackers do.
Our automated $149 security audit maps your public attack surface and checks for misconfigurations, outdated components, and missing security headers.
Get Your Security Audit