How Attackers Bypass Multi-Factor Authentication

The cybersecurity industry spent years telling organizations to implement MFA as the single most impactful security control — and that advice was correct. But as MFA adoption grew, attackers evolved their techniques to defeat it. The three most prevalent MFA bypass techniques in use today are: real-time phishing proxy attacks (adversary-in-the-middle, or AiTM), where attackers sit between the victim and the legitimate service, relaying credentials and session tokens in real time to bypass MFA without the victim realizing anything is wrong; MFA fatigue attacks, where attackers who already have credentials flood a victim’s authenticator app with push notifications until the victim approves one out of frustration or confusion; and SIM swapping, where attackers socially engineer mobile carriers into transferring a victim’s phone number to an attacker-controlled SIM, defeating SMS-based MFA entirely. Tools like Evilginx2 and Modlishka have made AiTM attacks accessible to attackers without advanced technical skills, and documented campaigns against Microsoft 365, Okta, and numerous enterprise environments demonstrate that MFA bypass is no longer theoretical.

MFA Fatigue Attacks — What They Are and Why They Work

MFA fatigue (also called MFA push bombing) exploits the human element of push-based authentication. When an attacker has compromised a user’s password — through phishing, credential stuffing, or data breach exposure — they attempt to log in repeatedly, triggering a flood of push notifications to the victim’s authenticator app. Many victims, especially those who aren’t security-aware, interpret the flood of unexpected prompts as a technical glitch and eventually approve one to make it stop. Others approve the notification accidentally during a busy moment. The Uber breach in 2022 was executed largely through MFA fatigue — an attacker combined stolen credentials with persistent WhatsApp messages impersonating IT support to get an employee to approve the MFA push. The fix for MFA fatigue is straightforward: use number matching (the app displays a code that must match what’s shown on the login screen) and additional context (location, application name) in push notifications. Microsoft and Google Authenticator both support these features. Organizations still using simple approve/deny push notifications should upgrade their MFA configuration immediately.

What “Defense in Depth” Actually Means

Defense in depth is the security principle that no single control should be relied upon as the only thing standing between an attacker and your critical assets. It’s not about buying more products — it’s about designing your security architecture so that defeating one layer doesn’t mean compromising everything. In practice, this means layering preventive controls (MFA, EDR, email filtering), detective controls (SIEM, behavioral analytics, cloud security monitoring), and responsive controls (incident response procedures, automated isolation capabilities, backup and recovery). Each layer assumes the others might fail. An attacker who bypasses your MFA still has to defeat your EDR. One who defeats your EDR still has to evade your behavioral monitoring. One who evades monitoring still has to work around your network segmentation before reaching your most sensitive assets. Defense in depth doesn’t prevent all breaches — it limits the blast radius when they occur and improves your ability to detect and respond quickly.

Building a Layered Security Stack on a Budget

• Identity layer: Phishing-resistant MFA (FIDO2/passkeys or certificate-based auth where possible), conditional access policies, privileged access management
• Endpoint layer: EDR on all managed devices, disk encryption, MDM for policy enforcement, regular patching
• Email layer: Advanced anti-phishing, DMARC/DKIM/SPF, attachment sandboxing, link rewriting
• Network layer: DNS filtering (blocks malicious domains before connections are made), firewall with outbound inspection, network segmentation
• Data layer: Encryption at rest and in transit, DLP controls on sensitive data, access controls with least privilege
• Detection layer: Centralized logging, cloud security monitoring, anomaly detection, regular vulnerability scanning
• Recovery layer: Immutable backups, tested recovery procedures, documented IR plan

The One Security Control That Supports Everything Else

If you had to identify the single control that amplifies the effectiveness of every other security investment, it’s visibility — specifically, centralized logging and monitoring. You cannot investigate an incident you can’t see. You cannot detect a breach that generates no alerts. You cannot measure the effectiveness of your controls without data. A basic SIEM or log aggregation capability — whether that’s Microsoft Sentinel, Splunk, or even a well-configured cloud-native logging setup — gives you the foundation to detect MFA bypass attempts, endpoint anomalies, lateral movement, and data exfiltration that would otherwise go unnoticed. Small businesses that invest in detection capability consistently have shorter breach dwell times and lower total incident costs than those that invest exclusively in prevention. Prevention eventually fails. Detection and response determine how bad it gets when it does.