TL;DR

  • Multi-factor authentication (MFA) is still one of the best security controls you can deploy — but attackers have developed reliable techniques to beat it, and those techniques are now mainstream.
  • The four dominant MFA bypass methods in 2026 are: Adversary-in-the-Middle (AiTM) phishing, SIM swapping, MFA fatigue (push bombing), and session token theft.
  • SMS and push-notification MFA are the weakest links. Phishing-resistant MFA (hardware keys, passkeys) stops most of these attacks cold.
  • If your organisation uses Microsoft 365, Google Workspace, or any cloud SSO provider and hasn't migrated to phishing-resistant MFA, you are at measurable risk today.
  • Free 30-minute security review available: consult.lil.business

Why MFA Bypass Is the Hottest Attack Category in 2026

Multi-factor authentication was supposed to be the silver bullet. Turn it on, and even if your password leaks, attackers can't get in — right? That was the story for most of the 2010s. By 2026, that story has a very messy sequel.​‌‌​‌​​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​

‌‌‌​‌​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌‌​‌​​

According to Microsoft's Digital Defense Report 2025, more than 99.9% of compromised accounts did not have MFA enabled — but the report also found that adversary-in-the-middle phishing kits bypassed MFA in over 146,000 confirmed incidents tracked by Microsoft Threat Intelligence in a single year [1]. CISA's 2025 advisory on cloud security confirmed that MFA bypass is now a standard capability in most nation-state and financially motivated threat actor playbooks [2].

MFA bypass doesn't mean MFA is broken. It means specific types of MFA are broken in specific scenarios. Understanding which attacks work against which MFA methods — and why — is the difference between security theater and actual protection.​‌‌​‌​​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌‌​‌​​

What Is MFA and Why Did Attackers Start Targeting It?

Multi-factor authentication requires you to prove your identity using two or more of three categories: something you know (password), something you have (a phone or hardware key), and something you are (biometrics). The idea is that stealing a password alone isn't enough — an attacker also needs the second factor.

Explain it like I'm 10: Imagine your house has two locks. The first lock uses a key (your password). The second lock uses a secret handshake that changes every 30 seconds (your MFA code). Even if someone steals your key, they can't do the handshake — so they can't get in. MFA bypass is like learning how to fake the handshake, or tricking you into doing the handshake while the attacker is already standing at the door.

Attackers started targeting MFA heavily around 2022–2023 when MFA adoption rates reached critical mass in enterprises. Once most accounts had passwords protected by MFA, the value of bypassing MFA skyrocketed. Today, dedicated phishing-as-a-service (PhaaS) platforms — including Evilginx3, Modlishka, and Tycoon 2FA — are openly sold on cybercrime marketplaces and require zero technical skill to operate [3].

How Does Adversary-in-the-Middle (AiTM) Phishing Bypass MFA?

Adversary-in-the-middle (AiTM) phishing is the most technically sophisticated — and most widely deployed — MFA bypass technique in 2026. Unlike classic phishing, which just steals your password, AiTM attacks steal your authenticated session in real time, making MFA completely irrelevant.

How AiTM works step by step:

  1. You receive a convincing phishing email with a link to a fake login page — for example, a Microsoft 365 login that looks pixel-perfect.
  2. You enter your username and password. The attacker's proxy server relays those credentials to the real Microsoft login server on your behalf.
  3. Microsoft's real server asks for your MFA code. The fake login page forwards this request to you, so you enter your authenticator code (TOTP or push approval).
  4. The attacker's proxy relays your MFA code to Microsoft's real server — which accepts it and issues an authenticated session cookie.
  5. The attacker captures that session cookie. You're logged in on your screen, but the attacker now has a copy of your authenticated session and can access your account without any further authentication checks.

Explain it like I'm 10: Imagine you're calling your bank, but there's a sneaky person in the middle of the phone line, listening and repeating everything. When the bank asks you to say a secret word, the sneaky person hears it and says it at the same time to the bank from their own phone. Now the bank thinks they are you.

According to CrowdStrike's 2025 Global Threat Report, AiTM infrastructure is now included in 73% of observed ransomware initial access chains targeting organisations using Microsoft 365 [4]. The Tycoon 2FA phishing kit, analysed by Sekoia in 2024, has been linked to campaigns targeting over 400 domains and bypassing Microsoft Authenticator push notifications with a near-100% success rate when users are successfully redirected [5].

What stops AiTM attacks: Phishing-resistant MFA — specifically FIDO2 hardware security keys (YubiKey, Google Titan) and passkeys — cryptographically bind authentication to the legitimate domain. If you're on a fake phishing site, the key simply won't authenticate because the origin domain doesn't match. AiTM has zero answer for this.

What Is SIM Swapping and How Does It Defeat SMS-Based MFA?

SIM swapping (also called SIM hijacking) is an attack where an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once your number is on their SIM, every SMS — including your MFA codes — goes to the attacker, not you.

How SIM swapping works:

  1. The attacker researches your personal information — name, address, account number, last four digits of payment card — often purchased from data brokers or leaked databases.
  2. The attacker contacts your mobile carrier (by phone, in-store, or via social engineering a carrier employee) and impersonates you, citing the personal information gathered.
  3. The carrier transfers your number to the attacker's SIM. Your phone loses signal. The attacker can now receive all your calls and texts.
  4. The attacker triggers password resets and MFA codes to your phone number — all of which now go to them.

Explain it like I'm 10: Your phone number is like a home address for text messages. SIM swapping is like convincing the post office that you moved to the attacker's house. After that, all your mail — including your secret login codes — gets delivered to them instead.

The United States Federal Trade Commission (FTC) reported that SIM swapping complaints increased by 400% between 2020 and 2024, with losses exceeding $68 million in the US alone in 2024 [6]. High-profile SIM swap attacks have targeted cryptocurrency holders, executives, and celebrities — resulting in individual losses ranging from tens of thousands to over $30 million in a single incident.

SIM swapping is particularly dangerous because it requires no technical skill from the attacker — just social engineering skills and enough personal data (readily available from breached databases or data broker sites). According to NIST SP 800-63B (2024 revision), SMS-based OTP is classified as a "restricted authenticator" specifically because of the SIM swapping threat model [7].

What stops SIM swapping: Eliminating SMS MFA entirely in favour of authenticator apps, hardware keys, or passkeys. If your MFA never sends a text message, there is nothing for a SIM swap to intercept. Additionally, placing a port freeze or SIM lock on your carrier account significantly raises the bar for attackers.

What Is MFA Fatigue (Push Bombing) and Why Does It Still Work?

MFA fatigue — also called push bombing or push harassment — is the least technical MFA bypass technique, and arguably the most embarrassingly effective. If your organisation uses push-notification MFA (like Microsoft Authenticator or Duo), an attacker who already has your password can trigger dozens or hundreds of push approval requests to your phone in rapid succession, hoping you'll eventually tap "Approve" out of frustration, confusion, or distraction.

How MFA fatigue works:

  1. The attacker obtains your valid username and password (from a breach, phishing, or credential stuffing attack).
  2. The attacker uses an automated tool to attempt login repeatedly, triggering a push notification to your phone each time.
  3. Your phone buzzes constantly with "Did you just try to sign in?" messages.
  4. You — perhaps half-asleep, commuting, or just wanting the notifications to stop — tap "Approve."
  5. The attacker is in.

Explain it like I'm 10: Imagine someone knocking on your door 50 times asking "Can I come in?" Most people would eventually open the door just to make it stop. MFA fatigue is the digital version of that knock.

The Lapsus$ threat group used MFA fatigue to compromise employees at Microsoft, Okta, Uber, and Rockstar Games in 2022 — demonstrating that even sophisticated enterprise environments are vulnerable when humans are the weakest link [4]. Uber's 2022 breach specifically involved an attacker who, after bombarding an employee with push notifications for over an hour, then messaged the employee on WhatsApp claiming to be from IT and instructing them to approve the next notification.

According to Microsoft Threat Intelligence, push-based MFA fatigue attacks are now included in early-stage playbooks for approximately 30% of observed business email compromise (BEC) campaigns [1].

What stops MFA fatigue: Number matching (the user must type a number shown on the login screen into their authenticator app), additional context display (showing the login location and app in the push notification), and rate limiting push requests. Microsoft Authenticator's "number matching" feature, enforced by default from May 2023 onward, significantly reduces but does not eliminate fatigue attacks. Phishing-resistant FIDO2/passkeys eliminate this attack class entirely.

How Does Session Token Theft Bypass MFA After Login?

Session token theft is the sneakiest MFA bypass technique because it doesn't attack the authentication process at all — it steals the result of authentication. Every time you log into a web application, the server issues a session cookie (a small piece of data stored in your browser) that proves you already authenticated. If an attacker steals that cookie, they can impersonate your authenticated session without ever needing your password or MFA code.

How session token theft works:

  1. Browser infostealer malware: Malware like Lumma Stealer, RedLine, or Vidar silently exfiltrates all browser cookies, saved passwords, and session tokens from an infected machine. These are sold within hours on criminal marketplaces for $5–$30 per machine.
  2. AiTM (as covered above): The attacker's proxy captures the session cookie at login time.
  3. Cross-site scripting (XSS): Malicious JavaScript injected into a vulnerable site can steal your session cookie if it lacks the HttpOnly flag.
  4. Malicious browser extensions: Extensions with broad permissions can read cookies and exfiltrate them.

Once an attacker has a valid session token, MFA has already been completed — from the server's perspective, you are authenticated. The attacker simply imports the cookie into their browser using a tool like Cookie Editor or the built-in developer tools, and they are in your session instantly.

Explain it like I'm 10: When you log into a website, the website gives you a special wristband that says "This person already proved who they are." Session token theft is like someone sneaking your wristband off your wrist and wearing it themselves. The bouncer at the door doesn't check again — they just see the wristband.

CrowdStrike's 2025 adversary intelligence data indicates that infostealer malware families targeting browser session tokens have grown by 312% year-over-year, with stolen credentials and session tokens being the most traded commodity on initial access broker (IAB) marketplaces [4].

What stops session token theft: Continuous Access Evaluation (CAE) — a Microsoft Entra ID feature that revokes sessions in near-real-time when anomalies are detected (new IP, impossible travel, device compliance failure). Device-bound session tokens (where the token is cryptographically tied to a specific device's TPM chip) prevent token replay from another machine. Short session lifetimes (15–60 minutes with re-authentication required) reduce the theft window. Regular endpoint detection and response (EDR) coverage prevents infostealer malware from running in the first place.

Which MFA Methods Are Still Safe in 2026?

Not all MFA is equal. Here is a clear breakdown of MFA types ranked by resistance to the bypass techniques described above:

MFA Method AiTM SIM Swap Push Fatigue Token Theft
SMS OTP ❌ Vulnerable ❌ Vulnerable N/A ❌ Partial
Email OTP ❌ Vulnerable ❌ Indirect N/A ❌ Partial
TOTP App (Google Auth, Authy) ❌ Vulnerable ✅ Resistant N/A ❌ Partial
Push Notification (Authenticator) ❌ Vulnerable ✅ Resistant ❌ Vulnerable ❌ Partial
Push + Number Matching ❌ Vulnerable ✅ Resistant ✅ Mostly resistant ❌ Partial
FIDO2 Hardware Key / Passkey Resistant Resistant Resistant ✅ Partial

FIDO2 hardware security keys and passkeys are the only MFA methods that are cryptographically phishing-resistant — meaning AiTM and SIM swapping have no effective attack vector against them. CISA's 2023 guidance explicitly recommends phishing-resistant MFA for all critical infrastructure and federal agency use cases, and has extended this recommendation to all organisations as a best practice in 2025 [2].

What Should Your Organisation Do Right Now?

The threat landscape for MFA bypass in 2026 is mature, tooled, and being deployed at scale by ransomware operators, nation-state actors, and low-skill script kiddies alike. The good news: strong, practical defences exist.

Immediate priority actions:

  1. Audit your MFA coverage. Identify every application, every user, and every service account. Where is MFA not enforced? Where is SMS MFA still in use? Build a migration roadmap.
  2. Eliminate SMS MFA for all privileged and administrative accounts. This is non-negotiable. SMS OTP is classified as a restricted authenticator by NIST — treat it accordingly.
  3. Enable number matching for all push-based MFA. If you use Microsoft Authenticator, Duo, or Okta Verify, enforce number matching and context display today. This significantly reduces fatigue attack success.
  4. Deploy phishing-resistant MFA (FIDO2/passkeys) for your highest-risk users. Executives, IT administrators, finance personnel, and anyone with access to sensitive systems should be on hardware keys or passkeys as a priority.
  5. Enable Conditional Access and Continuous Access Evaluation. For Microsoft 365 and Entra ID environments, configure Conditional Access policies that enforce compliant devices, block legacy authentication protocols, and enable CAE to combat session token theft.
  6. Deploy EDR on all endpoints. Infostealer malware targeting session tokens is a massive and growing threat vector. EDR coverage is essential to detect and block these threats before tokens are exfiltrated.
  7. Run phishing simulations that include AiTM scenarios. Generic phishing simulations are no longer sufficient. Security awareness training must include realistic AiTM demos so employees understand why they can't just "look for the padlock" anymore.

Is MFA Dead? The Honest Answer

MFA is not dead. It remains one of the highest-return security controls available — CISA reports that enabling MFA blocks over 99% of automated credential-stuffing attacks and 66% of targeted attacks even with legacy MFA methods [2]. The critical nuance is that SMS and push-based MFA are no longer adequate for high-risk accounts and environments.

The attack techniques described in this post — AiTM, SIM swapping, MFA fatigue, and session token theft — are real, widespread, and increasingly automated. But they all have documented, deployable countermeasures. The gap between organisations that have implemented those countermeasures and those still running SMS OTP on Microsoft 365 is the gap between managed risk and active vulnerability.

MFA is not dead. Weak MFA is dying. The question is whether your organisation is ahead of that curve.

Get a Free MFA Security Review

If you're unsure where your MFA configuration stands — or you want an independent review of your identity security posture — lilMONSTER offers a free 30-minute security review for small and medium businesses.

We'll assess your current MFA coverage, identify high-risk gaps, and give you a plain-English action plan — no jargon, no upselling, no obligation.

👉 Book your free review at consult.lil.business

FAQ: MFA Bypass Questions Answered

Yes. Time-based one-time password (TOTP) authenticator apps like Google Authenticator are still vulnerable to adversary-in-the-middle (AiTM) phishing. An AiTM attack relays your TOTP code in real time to the legitimate server, stealing your authenticated session before the 30-second TOTP window expires. TOTP apps are, however, fully resistant to SIM swapping, since the codes are generated on your device — not sent via SMS. For full phishing resistance, you need FIDO2 hardware keys or passkeys, which TOTP apps do not provide.

MFA fatigue (push bombing) does not require you to click a phishing link or visit a fake website. The attacker already has your password and uses it to trigger legitimate push notifications from your organisation's real authentication system. You approve the notification — often under the false assumption it was an error — and the attacker gains access. Traditional phishing tricks you into entering credentials on a fake site. Both attacks exploit human behaviour, but through different mechanisms. Number matching significantly reduces push fatigue attack success rates.

Yes — significantly. Even SMS-based MFA blocks the vast majority of automated credential-stuffing and mass phishing attacks. According to Google security research, SMS OTP blocks 100% of automated bot attacks and 76% of targeted phishing attacks — compared to 100% for hardware security keys [8]. The message is not "remove SMS MFA" but "migrate away from SMS MFA for your highest-risk accounts while keeping MFA on everything." Having SMS MFA is far better than having no MFA.

There are several common sources: data breaches (billions of username/password combinations are freely available on criminal forums), credential stuffing (automated testing of breached credentials against new sites), phishing (classic password-harvesting pages sent via email or SMS), infostealer malware (which silently exfiltrates saved passwords from browsers), and purchasing credentials from initial access brokers. According to CrowdStrike, over 2.5 billion credentials were listed for sale or trade on criminal forums in 2024 alone [4]. This is why password reuse across sites is catastrophically dangerous.

Passkeys are a replacement for passwords and traditional MFA, built on the FIDO2/WebAuthn standard. Instead of a password and a second factor, a passkey uses a cryptographic key pair: a private key stored securely on your device (protected by biometrics or device PIN), and a public key registered with the website. Authentication is cryptographically bound to the specific legitimate domain — so a phishing site can't trigger your passkey, an AiTM proxy can't relay it, and there's no OTP code to intercept or push notification to approve. Passkeys are supported by Apple, Google, Microsoft, and most major password managers as of 2025, and represent the strongest practical authentication option for consumer and enterprise use.

Conditional Access combined with Continuous Access Evaluation (CAE) significantly reduces the risk of session token theft, but does not eliminate it entirely. CAE allows identity providers like Microsoft Entra ID to revoke session tokens in near-real-time when anomalies are detected — such as a token being used from a new IP address or from a non-compliant device. Device-bound credentials (Entra ID's "Resilient token binding" feature) cryptographically tie tokens to a specific device's TPM chip, making stolen tokens unusable on an attacker's machine. For highest-risk environments, combining CAE with device compliance policies and short token lifetimes provides the strongest practical protection.

References

[1] Microsoft Threat Intelligence, "Microsoft Digital Defense Report 2025," Microsoft Corporation, Redmond, WA, USA, Oct. 2025. [Online]. Available: https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025

[2] Cybersecurity and Infrastructure Security Agency (CISA), "More Than a Password: Multi-Factor Authentication Best Practices," CISA Advisory, U.S. Department of Homeland Security, Washington, D.C., USA, 2025. [Online]. Available: https://www.cisa.gov/mfa

[3] Sekoia Threat Intelligence, "Tycoon 2FA: A New Phishing-as-a-Service Platform Bypassing Microsoft and Google MFA," Sekoia.io Blog, Paris, France, Mar. 2024. [Online]. Available: https://blog.sekoia.io/tycoon2fa-mfa-bypass-phishing-kit

[4] CrowdStrike, "2025 Global Threat Report," CrowdStrike Inc., Austin, TX, USA, Feb. 2025. [Online]. Available: https://www.crowdstrike.com/global-threat-report

[5] Sekoia Threat Intelligence, "Adversary-in-the-Middle Phishing Infrastructure: Evilginx3 and Modern Reverse Proxy Tooling," Sekoia.io Technical Analysis, Paris, France, 2024. [Online]. Available: https://blog.sekoia.io/aitm-phishing-evilginx

[6] Federal Trade Commission (FTC), "Consumer Sentinel Network Data Book 2024," FTC, Washington, D.C., USA, Feb. 2025. [Online]. Available: https://www.ftc.gov/reports/consumer-sentinel-network

[7] National Institute of Standards and Technology (NIST), "Digital Identity Guidelines: Authentication and Lifecycle Management," NIST Special Publication 800-63B, 4th ed., U.S. Department of Commerce, Gaithersburg, MD, USA, 2024. [Online]. Available: https://pages.nist.gov/800-63-4/

[8] K. Thomas et al., "Protecting accounts from credential stuffing with password breach alerting," in Proc. 28th USENIX Security Symposium, Santa Clara, CA, USA, Aug. 2019, pp. 1556–1571. (Google Security Research referenced in: Google, "How effective is basic account hygiene at preventing hijacking," Google Security Blog, 2019.) [Online]. Available: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

Published by lilMONSTER — cybersecurity for businesses that can't afford to get it wrong. No jargon, no fluff, just what you need to know.

Have a question about your MFA setup? Book a free 30-minute review →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation