What Is Cyber Risk Quantification? Methods, Models & Getting Started
Cybersecurity Risk Management CISO
What Is Cyber Risk Quantification? Cyber risk quantification puts dollar figures on cyber threats. Instead of telling …
Learn how attackers bypass MFA and which defenses actually stop them.
• MFA isn’t bulletproof. Attackers routinely bypass it through session token theft and real-time phishing proxies. If your security strategy treats MFA as the last line of defense, you have a gap.
• Session token theft is the most dangerous bypass. Infostealer malware harvests browser cookies that represent already-authenticated sessions. The attacker imports the cookie, skips the login page entirely, and MFA never triggers. You can’t stop what never fires.
• Real-time phishing proxies like Evilginx relay credentials and MFA codes simultaneously. The victim enters their password and MFA code on a fake page. The proxy passes both to the real site in real time and captures the session token. Standard MFA doesn’t help here.
• Hardware security keys (FIDO2/WebAuthn) are the only MFA method that stops phishing proxies. They verify the actual domain, so a fake site can’t intercept the authentication. They don’t help once a session token has already been stolen from a device. Monitor for leaked tokens on criminal markets and invalidate sessions the moment they appear.
You deployed MFA across your company. Good. Now attackers are bypassing it, and they have at least five proven methods to do it.
MFA still blocks most automated attacks. But targeted attackers don’t try passwords one at a time. They steal session tokens and run phishing proxies that capture MFA codes in real time. These techniques bypass MFA entirely.
This guide covers how each bypass technique works, which real attacks used them, and what actually defends against them.
Contents
What Are MFA Bypass Attacks?
Multi-factor authentication blocks most automated attacks. If an attacker has a stolen password but no second factor, they’re locked out. That part works.
The problem is that attackers have found reliable ways around it. These aren’t theoretical. They’re used in real attacks regularly.
MFA bypass is any technique that lets an attacker access an account protected by multi-factor authentication without completing the MFA challenge. Methods include stealing session tokens that represent already-authenticated sessions and intercepting MFA codes in real time through phishing proxies.
MFA is still worth deploying. It stops the bulk of credential stuffing and automated login attempts. But treating it as your only defense against credential-based attacks leaves gaps that targeted attackers will find.
How Do Attackers Bypass MFA?
Each technique exploits a different weakness. Some bypass the login process entirely. Others manipulate it in real time.
Session Token Theft
This is the most dangerous bypass because MFA never even fires. The attacker doesn’t log in. They hijack a session that’s already authenticated.
Here’s how it works: infostealer malware on an infected device harvests browser cookies from every active session. Those cookies include session tokens for any service the user was logged into: email, VPN, cloud apps, internal tools.
The attacker imports the stolen cookie into their web proxy. The service sees a valid session token and grants access. No password prompt. No MFA challenge. The attacker is in.
This is why infostealers have become the preferred tool for initial access. They don’t just steal passwords. They steal the authenticated sessions that passwords and MFA were supposed to protect.
Real-Time Phishing Proxies
Tools like Evilginx sit between the victim and the real login page as a reverse proxy. The victim sees what looks like a legitimate login page. They enter their username, password, and MFA code. The proxy passes everything to the real site in real time.
Adversary-in-the-middle (AiTM) phishing uses a reverse proxy to relay the victim’s credentials and MFA code to the real authentication server in real time. The proxy captures the resulting session token, giving the attacker authenticated access. Standard MFA can’t stop this because the victim completes a legitimate authentication flow.
The key: the proxy captures the session token that comes back from the real site. Now the attacker has an authenticated session. The victim completed a real MFA challenge on a fake site, and the attacker gets the result.
Phishing-resistant MFA (FIDO2 hardware keys) stops this because the cryptographic handshake verifies the actual domain. A proxy site can’t fake it.
MFA Fatigue (Push Bombing)
The attacker has valid credentials (from a breach or stealer log) and triggers MFA push notifications repeatedly. The victim gets dozens of “approve this login” prompts on their phone. Eventually, they approve one to make it stop, or they approve one by accident at 2 AM.
Real-world example: In 2022, an attacker used this technique against an Uber contractor. After repeated push notifications, the contractor approved one. The attacker accessed Uber’s internal systems and reached their cloud infrastructure.
The fix: number-matching MFA, where the user has to enter a code shown on the login screen rather than just tapping “approve.” Microsoft and Okta both support this now.
SIM Swapping
The attacker convinces a mobile carrier to transfer the victim’s phone number to a SIM they control. SMS-based MFA codes now go to the attacker.
SIM swapping requires social engineering the carrier (or bribing an employee). It’s more effort than other bypass methods but effective against high-value targets like executives. The defense is simple: don’t use SMS-based MFA. Use authenticator apps or hardware keys.
Help Desk Social Engineering
The attacker calls or emails the help desk pretending to be the employee. They claim they lost their phone or can’t access their MFA device. If the help desk resets MFA without proper verification, the attacker enrolls their own device.
Real-world example: In 2023, attackers social-engineered the MGM Resorts help desk into resetting MFA for an employee account. This gave them access that led to a breach costing MGM over $100 million.
The defense: strict identity verification for MFA resets. A callback to the employee’s known phone number or manager approval before any reset.
Why Are Session Tokens the Biggest MFA Risk?
Session token theft deserves special attention because it scales better than any other bypass method.
Phishing proxies require the victim to click a link and enter credentials. Push bombing requires valid credentials and targets one account at a time. SIM swapping targets one phone number.
Session token theft happens passively. One infostealer infection on one device can harvest active sessions for every service that user is logged into. No user interaction needed after the initial infection. And infostealers don’t just steal from the infected user’s device. If a family member’s laptop has an infostealer and the employee saved work credentials in that browser, those sessions are compromised too.
The stolen tokens appear on criminal markets quickly. Infostealer logs typically surface within hours of infection. Credential monitoring catches these tokens during the window between theft and exploitation.
The response is different too. Resetting the password isn’t enough. You have to invalidate all active sessions. Most companies don’t do this after detecting credential theft, which means they leave the door open even after they know about the compromise.
How Do You Defend Against MFA Bypass?
No single defense stops every bypass technique. Layer your controls based on which methods you’re most exposed to.
Deploy Phishing-Resistant MFA
FIDO2/WebAuthn hardware keys (like YubiKeys) are the only MFA method that stops real-time phishing proxies. The key performs a cryptographic handshake with the actual domain. A proxy site can’t intercept it. Google reported zero successful phishing attacks against 85,000+ employees after mandating hardware keys in 2017.
Start with your highest-risk accounts: IT admins, executives, anyone with access to critical systems. Expand from there.
Enable Number Matching for Push MFA
If you use push-based MFA, enable number matching. The login screen shows a two-digit code. The user has to enter that code in the push notification instead of just tapping “approve.” This stops fatigue attacks because the attacker doesn’t know the code.
Monitor for Stolen Session Tokens
You can’t prevent every infostealer infection, especially on personal devices you don’t control. But you can monitor for stolen tokens appearing on criminal markets. When dark web monitoring detects your employees’ session tokens in stealer logs, invalidate those sessions immediately.
Shorten Session Lifetimes
Stolen session tokens only work while the session is valid. Shorter session lifetimes reduce the window attackers have to exploit stolen tokens. Balance security against user experience: 8-12 hour sessions for standard accounts, shorter for privileged access.
Verify Identity for MFA Resets
The MGM breach started with a help desk social engineering call. Require callback verification to a known number or manager approval before resetting anyone’s MFA. Make this process hard to shortcut.
Don’t Use SMS-Based MFA
SMS is the weakest second factor. SIM swapping defeats it entirely. Authenticator apps are better. Hardware keys are best. If you still have SMS-based MFA on any critical systems, replace it.
Conclusion
MFA blocks automated attacks but doesn’t stop targeted ones. Session token theft and phishing proxies bypass MFA reliably. So does social engineering.
The strongest defenses: hardware security keys for phishing-resistant MFA and number matching for push notifications. Add monitoring for stolen session tokens on criminal markets as your safety net. No single control covers every bypass technique, so layer them.
Check your exposure to see if your employees’ credentials or session tokens are already circulating on criminal markets.
MFA Bypass FAQ
Yes. Attackers bypass MFA through session token theft, real-time phishing proxies, SIM swapping, push notification fatigue, and social engineering. MFA still blocks most automated credential stuffing attacks, but targeted attackers have reliable methods to get past it.
Session token theft via infostealer malware. Infostealers harvest browser cookies that represent authenticated sessions. The attacker injects the cookie into their own requests using a proxy like Burp and skips the login page entirely. There’s no login, so the second factor never comes into play.
Hardware keys using FIDO2/WebAuthn stop phishing-based bypasses because they verify the actual domain. A fake phishing site can’t intercept the cryptographic handshake. But hardware keys don’t help against session token theft. If an infostealer harvests an active session cookie from the browser, the attacker imports it and skips authentication entirely. The hardware key never gets a chance to fire.
Evilginx is a reverse proxy that sits between the victim and the real login page. The victim enters their credentials and MFA code on what looks like a legitimate page. Evilginx passes everything to the real site in real time, captures the session token, and gives it to the attacker.
Monitoring for stolen session tokens in infostealer logs catches token theft before attackers use the sessions. Anomalous login detection catches sessions originating from unexpected locations. Neither prevents the bypass, but both catch it early enough to respond.
In 2022, an attacker spammed an Uber contractor with MFA push notifications until the contractor approved one. The attacker gained access to internal systems and reached Uber’s cloud infrastructure. This attack showed that push-based MFA is vulnerable to fatigue attacks.
