TIME TO READ: 6 MINUTES
By now you’re aware of Multi-Factor Authentication, or MFA. It helps people secure bank accounts, cloud services, and business data. How? By requiring a second form of authentication beyond your typical username & password.
It’s important we all understand that while MFA is a strong deterrent, it’s not a perfect solution.
MFA is not immune to cyberattacks.
It puts up a fight, but ways exist to bypass it. Block those bypass routes and you’re in a much safer position.
How do hackers bypass MFA? This WOOF! will explain.
How MFA Works (Normally)
The key to MFA is using more than 1 security ‘proof’ to validate your access. One is a password, and the other is a secondary authentication method.
The password is "something you know," and the secondary authentication is "something you have."
Only the account owner would have both. So you must be the account owner.
These are the steps involved in a normal MFA authentication process:
- Step 1: Enter username.
- Step 2: Enter password.
- Step 3: Enter secondary authentication. These can take the form of:
- Numeric codes sent by SMS (text messages)
- Codes from an authenticator app (MS Authenticator, Duo)
- Biometric scans
- Fingerprint scans
- Physical tokens
- Auto-generated “Is this you?” links sent to another device
(Some MFA setups use a third proof, but it’s not common.)
What does this do to secure access? It puts up an extra layer of protection, and embeds another point at which the system can catch unauthorized access.
How does MFA keep work secure? By restricting access to the person who can provide both authentication keys. Presumably, this is the only person who’s authorized – and most of the time, it is.
The trouble is, no security method is 100% perfect. Even MFA has vulnerabilities…and cybercriminals have figured out what they are.
Techniques Used by Cybercriminals to Bypass MFA
Social Engineering Attacks
These are human-level attacks like phishing emails. It’s a common ‘first step’ in bypassing MFA (and helps most of the other techniques, too). Often targets Microsoft 365 tenant accounts.
Man-in-the-Middle (MitM) Attacks
Dangerously common, often targeting high-profile executives due to the valuable data they see & work with.
Man-in-the-Middle involves intercepting communication between your device and a server. When those communications include an MFA authentication code, the cybercriminal copies it.
Now they’re accessing a service as you. Even MFA thinks they’re the legitimate user.
Everything looks normal from your end. Meanwhile, the cybercriminal’s copying passwords, stealing funds, etc.
RECENT CUSTOMER EXAMPLE #1: Manager receives email from team member with a project-related document link and a request. The email and request look odd; the document link is legitimate and comes from the company's MS365 MFA-enabled tenant under the team
member’s account. Manager asks team member about it; not sent by him. Without clicking on the document, Manager asks PlanetMagpie to review.
The document is loaded with malware, ready to flood into their network. How did the
document get into their MS365 account? Someone had hacked the team member's phone to add the document. Microsoft 365 sent an authentication request, but the hacker – NOT the team member – received it.
Very similar to Man-in-the-Middle. Using special network tools, the cybercriminal sits between you and an email or Web server. When you attempt to access a cloud service, the email/Web server sends its MFA authentication request like normal.
Then the cybercriminal strikes. Their tools intercept that MFA request, hold it, and send you a nearly-identical request. It looks normal, so you enter the authentication code. The cybercriminal's tools grab that code, send a copy back to the email/Web
server, and let it finish its login. It’s a valid code, after all.
You finish logging in & go about your business. None the wiser. Meanwhile, the cybercriminal has your login credentials AND a valid MFA code. Anything you have on that server is now theirs.
We wrote about phone hijacking the other day.
It’s a type of attack where a cybercriminal fraudulently transfers a victim's phone number from their current SIM card, to a SIM card they control.
Once they have the SIM card, they can bypass the MFA authentication and get into your work accounts. Bad times.
Involves stealing the token an application platform generates to authorize your access.
Think of a token like a cookie. Similar to a browser’s cookie, but it stores your valid authentication data. A cybercriminal grabs a copy of this cookie from your device. They use it on another device instead…logging into the platform as
What’s one example of a token-using platform? Microsoft Azure Active Directory, the cloud service authenticating your MS365 user accounts!
RECENT CUSTOMER EXAMPLE #2: Customer had a contact with a major NY brokerage for financial trading. The customer emailed a trade to their contact. Said contact, however, had left the brokerage two weeks prior. Their IT team had not secured the former
employee's Microsoft 365 account.
A cybercriminal had compromised the MS365 account, saw the trade request email, and sent new bank routing instructions to the customer. "Trading" continued for 2 weeks - with payments sent - until the
customer realized none of the trades had settled. The money had vanished.
Token theft often occurs via Man-in-the-Middle attacks. More details on Token Theft attacks here.
Exploiting Application Vulnerabilities.
Sometimes the weakness comes not from MFA, but from the application it’s trying to protect. Exploiting those weaknesses takes two forms.
A. PASSWORD RECOVERY MECHANISMS.
When you forget a password, you use the Reset Password option, right? This tool usually sends you an email with a special link for the password reset.
What happens if someone else sees that email before you do? By, for example, using phishing to access your Microsoft 365 account...
Then they can change your password, lock you out, and rifle through your data!
Basically, using a tool to guess hundreds to thousands of password combinations, until it finds the right one. Cybercriminals can also brute-force weak security questions. Those are the Dog’s Name/Childhood Street/Parent’s Middle Name questions you pick.
How to Keep MFA Strong and Effective
What’s the “weak link” in MFA bypasses? It’s the phishing attacks. A busy human being is the easiest thing to trick.
Best ways to avoid MFA hacking:
- Nine times out of 10, if you recognize that someone’s trying to break into your device, it stops right there. That’s why staying vigilant and knowing about phishing attacks is the biggest preventive measure for strong
MFA. How do you stay vigilant against phishing attacks? Get everyone security awareness training. Teach the team how to:
- Verify the legitimacy of emails and links
- Watch for "new login alerts" from online accounts
- Understand the proper methods for authentication
- Recognize cyberattack attempts on every device
Other actions include:
- Enforce strong and unique passwords
- Use a smart host to filter your company email for spam/malware (not a free version)
- Implement additional factors – Consider using hardware tokens or security keys; biometric authentication can serve as an additional layer
- Perform regular computer and server software updates
- Regularly update your applications
- Patch firmware on all devices (servers, computers, access points, firewalls, and switches)
- Enable account lockouts and suspicious activity monitoring
MFA Isn't Bulletproof.
MFA can’t promise 100% protection—nothing can. Yet, MFA is still a strong deterrent and is much better than not using it.
Relying on weak user passwords like, “123456” only invites crippling breaches, data loss, and severe damage to the business.
We beat the drum about security training because it helps shore up cybersecurity across the board. Including for MFA.
Do you have strong MFA practices in place?
Keep your security and your team up to date, with help from the PlanetMagpie Team. Ask us about training and security advice at firstname.lastname@example.org.