Home / Insights / MFA Bypass & Compromised Credentials
Guide Cybersecurity

Beyond the Password: How Attackers Bypass MFA and How to Stop Them

MFA is not a silver bullet. Adversary-in-the-middle proxy attacks complete your authentication for you in real time, then walk away with the session token. Stolen credentials now account for the majority of initial access in enterprise breaches. This guide explains how each bypass technique works and which controls actually stop them.

C
Cyvra Research
Cybersecurity Intelligence
4 June 2026
12 min read
Security assessment of MFA and credential controls
Key Takeaways
  • Stolen or compromised credentials are the primary initial access method in over 80% of enterprise breaches, according to Verizon's DBIR. The rise of adversary-in-the-middle attacks has made this position more entrenched, not less.
  • Adversary-in-the-middle (AiTM) proxy attacks bypass TOTP codes and push notifications by proxying the authentication in real time and stealing the resulting session token. The user sees a normal login flow.
  • Only phishing-resistant MFA — FIDO2 passkeys or hardware security keys — stops AiTM attacks at the authentication layer, because the cryptographic challenge is bound to the legitimate origin URL.
  • Pass-the-cookie attacks replay stolen session tokens without needing credentials or MFA at all. Token lifetime policies, Conditional Access with device compliance, and Continuous Access Evaluation (CAE) are the primary defences.
  • MFA fatigue attacks bombard users with push notification requests until they approve one out of exhaustion or confusion. Number matching and additional context in push notifications significantly reduce approval rates.
  • A complete credential defence strategy requires phishing-resistant MFA for privileged accounts, Conditional Access enforcing device compliance, short session token lifetimes, and monitoring for impossible travel and token replay anomalies.

Credentials are the primary breach vector

For most of the 2010s, the narrative around enterprise breaches focused on malware: ransomware groups, nation-state implants, zero-day exploits. The picture has changed substantially. Attackers have shifted to credential theft because it is cheaper, faster, and harder to detect. A legitimate user account signing in through an authorised identity provider looks exactly the same as a normal login to most monitoring systems.

The Verizon Data Breach Investigations Report documents this shift clearly: stolen credentials were involved in over 80% of hacking-related breaches in recent years. The number of credentials available to attackers has grown in parallel. HaveIBeenPwned indexes over 13 billion breached accounts sourced from hundreds of historical data breaches. Credential stuffing tools can test these against target services at scale, with request throttling and IP rotation to avoid rate-limiting defences.

Adding MFA was the right response. And it works against credential stuffing and most automated attacks. The problem is that attackers adapted. A subset of credential attacks now specifically targets the authentication session rather than the credentials themselves, and standard MFA factors provide no protection against them.

80%+
of hacking-related breaches involve stolen credentials (Verizon DBIR)
13B+
breached credentials indexed by HaveIBeenPwned from historical data breaches
3x
increase in AiTM phishing attacks targeting Microsoft 365 tenants between 2022 and 2024

Six bypass methods you need to know

Not all credential attacks are equal. Understanding how each one works is necessary to choose the right controls, because a defence that stops credential stuffing may do nothing against session token theft.

🕸
1. Adversary-in-the-Middle (AiTM) proxy
High Risk
The attacker deploys a reverse proxy (EvilGinx2, Modlishka) at a convincing phishing domain. The user visits the phishing URL, enters credentials, and completes their MFA challenge. The proxy forwards all of this to the real login service in real time and relays responses back to the user. Once the real site issues an authenticated session cookie, the proxy captures it. The user sees a successful login. The attacker now holds a valid session token with no need for credentials or MFA. Stopped by: FIDO2 phishing-resistant MFA (origin-bound cryptographic challenge fails on the phishing domain). Partially mitigated by: Conditional Access device compliance, CAE, short session lifetime.
🍪
2. Pass-the-cookie / session token replay
High Risk
Session tokens stored in browser memory, local storage, or cookies can be extracted from a compromised device using infostealers (Redline, Vidar) or directly from a browser profile. The attacker imports the token into their own browser, replaying the authenticated session without ever presenting credentials or completing MFA. This works even against FIDO2 for the duration the token remains valid. Stopped by: short session lifetimes, Conditional Access with device compliance (binds session to managed device), Continuous Access Evaluation (CAE) which can revoke tokens in near real time when risk signals appear), and monitoring for impossible travel in access logs.
🔔
3. MFA fatigue (push bombing)
Medium Risk
The attacker already has valid credentials and triggers repeated MFA push notifications to the target's phone. Most users, when bombarded with approval requests, will eventually approve one to make them stop. Uber's 2022 breach began this way: a contractor received push after push, eventually approved one, and the attacker was inside the network within minutes. Mitigated by: enabling number matching in authenticator push notifications (user must type the number shown on the login screen into the app, making auto-approvals impossible), adding context to push notifications, and limiting push attempts per session.
📱
4. SIM swapping
Medium Risk
The attacker contacts the target's mobile carrier, impersonates them using social engineering or stolen personal information, and convinces the carrier to transfer the phone number to a SIM they control. All SMS messages and calls to that number now go to the attacker. Any SMS-based MFA code is intercepted. This attack is most relevant where SMS is the only MFA factor, and affects consumer accounts more than enterprise environments with app-based MFA. Mitigated by: removing SMS as an MFA factor in favour of authenticator apps or FIDO2. If SMS cannot be removed, carrier PIN codes or account lockdown features help.
🤖
5. Credential stuffing at scale
Medium Risk
Automated tools test breached credential pairs against target services. Despite high volumes, most attempts fail because of unique passwords and MFA. The attacks that succeed exploit password reuse: a credential from a 2019 forum breach still works on a company Microsoft 365 tenant because the user never changed it. This is a volume game and targets accounts without MFA almost exclusively. Stopped by: MFA on all accounts, password breach monitoring (Entra ID Identity Protection includes HIBP integration), and Conditional Access blocking legacy authentication protocols that cannot support MFA challenges.
🔑
6. OAuth consent phishing
Medium Risk
The attacker creates a malicious OAuth application and sends the target a link that, when clicked and approved, grants the application delegated access to Microsoft 365 or Google Workspace data. The user completes their legitimate login and MFA, then approves what looks like a routine permissions request. The attacker's application now has persistent read and send access to email, files, or contacts without storing any credentials. This bypass persists even after the user changes their password. Mitigated by: Entra ID app consent policies that block unverified applications, restricting user consent to pre-approved applications, and monitoring for new OAuth grants in the tenant audit log.

What each MFA type actually stops

The choice of MFA factor matters significantly. SMS OTP and push notifications stop automated credential stuffing but provide no protection against a real-time AiTM attack. Understanding where the protection ends helps you prioritise which controls to upgrade first.

MFA Type
Credential Stuffing
AiTM Proxy
Session Replay
SMS OTP
Stops
Bypassed
Bypassed
TOTP (Authenticator app)
Stops
Bypassed
Bypassed
Push + number match
Stops
Bypassed
Bypassed
FIDO2 / Passkey
Stops
Stops
Partial*

* FIDO2 stops AiTM at authentication but does not protect session tokens after a legitimate login. Device compliance and CAE are required for post-authentication session security.

What makes FIDO2 different

Every other MFA factor generates a code or prompt that can be forwarded. A six-digit TOTP code, a push notification approval, an SMS message — all of these can be intercepted or forwarded by a proxy in real time. The user completes the challenge; the proxy relays it. The session is established. The proxy takes the cookie.

FIDO2 passkeys and hardware security keys work differently. The private key is stored on the device or in the platform authenticator and never leaves it. The cryptographic signature is generated in response to a challenge that includes the origin URL of the requesting site. If a phishing domain at login-microsoft-365.com requests a FIDO2 signature, the challenge includes that domain. The browser compares it to the registered origin (login.microsoft.com) and refuses to sign. No credential is transmitted. The proxy gets nothing.

This is why FIDO2 is the only factor classified as phishing-resistant under NIST SP 800-63B and why CISA and NCSC both recommend it for high-value accounts.

A note on push MFA

Push notifications without number matching can be approved by a user who is confused by repeated requests, even without malicious intent. Microsoft's own data shows that number matching reduces approval rates during push bombing attacks by over 99%. If you are currently using push notifications, enabling number matching is a free configuration change that substantially raises the bar for MFA fatigue attacks.

Defending against session-layer attacks

Session token theft sits outside the authentication boundary. By the time a token is stolen, the authentication event is already complete. The controls here operate on the session lifetime and device binding rather than on the initial login.

Token lifetime policies

Long-lived access tokens give attackers extended windows to exploit stolen sessions. Entra ID token lifetime policies can reduce refresh token and access token lifetimes for sensitive applications. The tradeoff is user friction: shorter sessions mean more frequent re-authentication. Continuous Access Evaluation (CAE) offers a better solution for supported applications by revoking tokens in near real time when Entra ID detects a risk event, such as a sign-in from an impossible travel location or a reported credential compromise.

Device binding through Conditional Access

Conditional Access policies that require device compliance check whether the device attempting to use the session is the same managed, compliant device that established it. A session token replayed from an unmanaged attacker device fails the compliance check and is blocked or requires re-authentication. This significantly reduces the utility of stolen tokens even when the attacker holds a valid one.

Monitoring for token anomalies

Impossible travel alerts flag sign-ins from geographically separated locations within a timeframe that no human could achieve. A legitimate user who authenticates in Amsterdam at 09:00 cannot also be authenticating in Moscow at 09:15. These detections in Entra ID Identity Protection and in Microsoft Sentinel are among the highest-fidelity signals for session token replay in cloud environments. They should generate automated responses: session revocation, forced re-authentication, or security team notification depending on severity.

Start with privileged accounts

The return on investment for phishing-resistant MFA is highest on accounts with the most access. Administrative accounts, service accounts with elevated permissions, finance team accounts, and board-level executives represent the smallest user population but the largest potential impact of a successful credential attack.

Enforcing FIDO2 on all users in a large organisation takes time: it requires device distribution, user training, and policy rollout. Enforcing it on the 20 accounts that matter most can be done in days. Start there. Extend Conditional Access policies to require phishing-resistant authentication for privileged role access. Apply PIM (Privileged Identity Management) to ensure administrative roles are never permanently active. Those steps alone remove the most valuable targets from reach of AiTM attacks.

A compromised administrator account with TOTP-based MFA gives an attacker full tenant access in under ten minutes. The same attack against a FIDO2-protected account gets them nothing.

Seven controls to implement now

  • Enable number matching on all push MFA — free configuration change in Microsoft Authenticator that stops push bombing attacks
  • Block legacy authentication protocols — SMTP AUTH, POP3, IMAP, and older Office clients cannot complete MFA challenges; blocking them removes the most common credential stuffing path
  • Enforce phishing-resistant MFA for privileged accounts — Conditional Access authentication strength policies can require FIDO2 for administrative roles immediately
  • Enable Entra ID Identity Protection — real-time risk scoring of sign-ins, leaked credential detection from HIBP integration, and automated response policies
  • Configure Continuous Access Evaluation — near real-time token revocation for Microsoft 365 applications when risk events are detected
  • Restrict OAuth application consent — prevent users from consenting to unverified third-party applications by setting tenant-wide consent policies in Entra ID
  • Monitor impossible travel and new device sign-ins — configure alerting rules so that anomalous session patterns generate immediate notifications or automated revocation

Common questions

What is an adversary-in-the-middle attack?

An adversary-in-the-middle (AiTM) attack uses a reverse proxy that sits between the user and the real login page. The user visits a phishing URL, enters their credentials, and completes their MFA challenge. The proxy forwards everything to the real site in real time, receives the authenticated session cookie, and now holds a valid session token that can be used independently of the user's credentials or MFA. Tools like EvilGinx2 and Modlishka automate this process. TOTP codes and push notifications are both bypassed because the authentication is completed legitimately.

Does FIDO2 stop adversary-in-the-middle attacks?

Yes, with an important caveat. FIDO2 passkeys and hardware security keys are cryptographically bound to the origin URL. When a user registers a passkey on login.microsoft.com, the key will not authenticate against a lookalike domain. The browser checks the origin and refuses to sign a challenge from a different domain. This is why FIDO2 is classified as phishing-resistant MFA and TOTP is not. The caveat is that FIDO2 does not protect against session token theft after a legitimate login, which requires separate controls such as Conditional Access with device compliance and Continuous Access Evaluation.

How do I enforce phishing-resistant MFA in Microsoft 365?

In Microsoft Entra ID, navigate to Security, then Authentication Methods, then Authentication Strengths. Create a custom authentication strength policy that requires passkey (FIDO2) or Windows Hello for Business. Then create a Conditional Access policy that applies this authentication strength to your most sensitive applications or to all users. For privileged accounts, enforce this unconditionally. The Microsoft Authenticator app with passkey support can serve as the FIDO2 authenticator for users who do not have a hardware security key.

What is the difference between credential stuffing and a targeted AiTM attack?

Credential stuffing is automated and untargeted. Attackers take breached credential lists containing millions of username and password pairs and test them against common services at scale. It relies on password reuse and is largely defeated by unique passwords and MFA. An AiTM attack is targeted and active: the attacker sends a phishing email to a specific user, operates a proxy in real time to intercept their authentication session, and steals a valid session token. It bypasses MFA entirely and requires phishing-resistant authentication controls or session anomaly detection to counter.

Identity Security Assessment

Find out if your MFA can be bypassed

We test your Conditional Access policies, authentication strength configuration, and session controls against current AiTM and credential attack techniques and give you a prioritised fix list.

Request an Assessment Explore Cybersecurity Services