Multi-factor authentication (MFA) has become a pillar of cybersecurity and a requirement embedded in many standards and regulations.

MFA adds a crucial layer of security by reducing exposure to various identity theft attacks. It requires users to verify their credentials in two or more ways to access an IT environment. It is particularly vital for organizations with remote or hybrid workforces. However, it is important not to overly rely on this single measure. MFA should only be one component of a comprehensive cybersecurity strategy.

Why is it not a miracle solution to cybersecurity problems?

With the growing adoption of MFA, attackers are abandoning traditional credential theft methods, such as brute force attacks, hash cracking, or classic infostealers, and are turning instead to exploiting session cookies.

Several techniques allow bypassing this mechanism today, undermining the security of systems. These attacks can be grouped into four main categories: session theft and reuse, authentication interception, psychological fatigue of users, and exploitation of compromised accounts.

Session Theft and Reuse

These attacks aim to exploit already valid session cookies or authentication tokens to access accounts without having to go through MFA again.

These attacks, known as “Pass-the-Cookie” (PTC) attacks, pose a major risk to organizations using MFA on platforms such as Office 365, Azure, and other cloud services. In a typical attack, hackers steal cookies like Microsoft’s ESTSAUTH, used to validate sessions on Office 365. The attacker then uses the same victim’s account on another browser, without a password or MFA, by injecting a stolen ESTSAUTH cookie. Azure logs display similar entries for both connections, with only slight differences in browser/OS metadata, making these attacks difficult to detect. Without advanced detection tools, these intrusions often go unnoticed.

Phase 1 – Session Cookie Theft
• The victim logs into Office 365 on Windows/Chrome.
• A malware (LummaC2, Redline, etc.) extracts the session cookie (ESTSAUTH) from the browser.
• The attacker retrieves this cookie remotely.

Phase 2 – Session Hijacking
• The attacker opens Ubuntu/Firefox and accesses login.microsoftonline.com.
• They inject the stolen cookie into the browser’s storage using developer tools.

Phase 3 – Unauthorized Account Access
• The attacker refreshes the page.
• The Office 365 server validates the session since the cookie is still active.
• No password or MFA is required.

📌 Why is this attack effective?
• Session cookies remain active as long as the user does not log out.
• Logs show a legitimate connection (only browser metadata differs).
• Difficult to detect without advanced session monitoring.

According to Microsoft’s documentation, ESTSAUTH cookies remain valid as long as the user does not log out or the session does not expire, allowing weeks of undetected access.

Real-Time Authentication Interception

These attacks, known as “Adversary-in-the-Middle” (AiTM) attacks, rely on capturing exchanges between the user and the legitimate service to bypass MFA authentication at the time of login.

AiTM attacks pose a major threat to MFA. Inspired by Man-in-the-Middle (MitM) attacks, this technique intercepts communications between the user and the authentication service by placing a transparent proxy between them.

Unlike traditional MitM attacks, AiTM attacks not only intercept exchanges but also modify messages in real-time, making MFA circumvention completely transparent to the victim.

Tools like Evilginx, a transparent reverse proxy, allow attackers to capture user credentials and MFA codes in real-time and reuse them immediately to take control of the account.
The Tycoon 2FA kit, a phishing-as-a-service (PhaaS) platform, specifically targets Microsoft 365 to capture and reuse MFA authentication in real-time.

Phase 1 – Victim Trapping

• The user receives a phishing email containing a link to a fake site impersonating Microsoft 365 or another cloud platform.
• This fraudulent site is hosted on a malicious proxy server configured with tools like Evilginx or Modlishka.
• The user believes they are accessing their account securely and enters their credentials and MFA code.

Phase 2 – Session Interception and Hijacking

• The fake site acts as an intermediary between the user and the legitimate service.
• The attacker captures credentials and the MFA token in real-time.
• The hacker immediately reuses this information to log into Microsoft 365 or another service without triggering a new MFA request.

Phase 3 – Account Takeover

• The attacker obtains a valid authentication token, allowing them to maintain an active session even if the victim changes their password.
• They can then:

• Exfiltrate sensitive data,
• Set up email forwarding rules,
• Deploy malware on the compromised account.

Why is the AiTM attack effective?

• It completely bypasses MFA, as the attacker intercepts and uses a valid authentication token.
• It is stealthy, since the login appears legitimate in the logs (only minor details like IP address or browser change).
• It does not require password cracking: the attack is based on real-time session manipulation.
• It exploits user trust, as the victim believes they are interacting with an authentic site.

Psychological Fatigue and Social Engineering

“MFA Fatigue” attacks exploit user exhaustion or confusion to trick them into unknowingly approving an MFA request, granting attackers fraudulent account access.

In these scenarios, also known as MFA bombing or MFA spamming, attackers flood users with repeated MFA authentication requests until they eventually approve one by mistake, facilitating unauthorized access.

In 2022, attackers stole the credentials of a Cisco employee through voice phishing (vishing). They then overwhelmed him with MFA requests and fake IT support calls until he validated access, compromising the internal network.
That same year, a hacker stole the credentials of an Uber contractor, likely via malware, and bombarded the employee with MFA notifications. Due to fatigue or confusion, the employee eventually approved a request, granting the attacker access to Uber’s internal systems.

Phase 1 – Theft of User Credentials

• The attacker retrieves login credentials through a data breach, phishing, or voice phishing (vishing).
• In some cases, malware such as Redline or LummaC2 is used to exfiltrate credentials stored on the victim’s computer.

Phase 2 – MFA Bombing (MFA Spamming)

• The attacker attempts multiple logins to the victim’s account, generating a flood of MFA notifications on their phone or authentication app.
• Sometimes, the attack is accompanied by fake IT support calls, with the attacker impersonating a helpdesk agent.

Phase 3 – Unintentional Approval

• Overwhelmed by constant MFA prompts or believing it to be a technical error, the victim eventually approves the authentication request.
• The attacker gains full access to the account, often without triggering additional security alerts.

Why is the MFA Fatigue attack effective?

• It exploits human psychology rather than a technical vulnerability.
• Users overloaded with MFA alerts often approve requests without thinking.
• Attackers combine vishing with MFA bombing to maximize success.
• It works even against advanced MFA protections if the victim approves the request.

Exploitation of Compromised Accounts

This category includes attacks where cybercriminals gain direct access to a legitimate user account, often through credential theft or psychological manipulation, and then exploit this access to bypass other security measures, including MFA.

Business Email Compromise (BEC) attacks specifically target corporate email accounts to impersonate users, execute financial fraud, distribute malware, or compromise additional accounts.

In 2020, hackers manipulated Twitter employees using BEC attacks combined with social engineering, convincing them to grant access to internal tools managing VIP accounts.

Phase 1 – Account Compromise via BEC (Business Email Compromise)

• The attacker targets a corporate email account, often through phishing or by exploiting a database of stolen credentials.
• Once inside the email account, they can retrieve password reset links for other services protected by MFA.

Phase 2 – Account Exploitation for Privilege Escalation

• The attacker impersonates the victim, sending fraudulent emails to colleagues or partners (e.g., fake wire transfer requests).
• They set up email forwarding rules to monitor communications and evade detection.
• They may also deploy malware to compromise other corporate systems.

Phase 3 – Bypassing MFA Protections

• Using access to the email account, the attacker can reset MFA protections on other accounts, requesting a verification code sent by email.
• They register a new device as “trusted”, eliminating the need for future MFA verification.

Why is Exploiting Compromised Accounts Effective?

• It bypasses MFA by leveraging an already legitimate access.
• The attacker can hide their presence by redirecting security emails.
• Once established, they can compromise additional services without triggering MFA alerts.

Is MFA Still Useful?

While MFA is not a silver bullet, it remains an important part of your cybersecurity strategy. It adds an extra layer of security that makes it harder for attackers to succeed, but it is not foolproof. MFA should be one component of a broader security framework.

For MFA to remain effective, it must be combined with additional security measures, such as behavioral anomaly detection, session monitoring, and token theft prevention mechanisms.

Measures to Mitigate the Threat

To enhance security and limit MFA bypass techniques, here are some expert-recommended strategies:

1. Adopt FIDO2 Passkeys
   FIDO2 authentication keys (such as Windows Hello or YubiKey hardware tokens) do not rely on session cookies and are tied to physical devices, making them much harder to intercept.
2. Reduce Session Duration : Limit session duration to a maximum of one hour. Automatically revoke session cookies upon password resets.
3. Advanced Anomaly Detection :
   • Use solutions like Microsoft Defender for Cloud Apps, Cisco Umbrella, or Palo Alto Prisma Access to detect suspicious logins (unusual IP addresses, prolonged sessions).
   • Implement tools like Cloudflare Zero Trust, Okta Adaptive MFA, or Zscaler Internet Access to analyze browser fingerprints and detect authentication attempts from Tor networks.
4. Restrict Access to Authorized Devices :
   • Using Mobile Device Management (MDM) solutions like Microsoft Intune allows organizations to:
   • Block logins from non-compliant devices.
   • Enforce automatic security updates.
5. User Awareness & Training
   • Train employees never to approve an MFA request they did not initiate.
   • Encourage users to log out of sessions manually instead of just closing the browser window.

While MFA is a crucial tool, it should not be seen as an ultimate defense. Recent attack techniques demonstrate that MFA must be complemented with a layered security strategy, including session time limits, strong authentication via FIDO2, and proactive monitoring of suspicious logins.

Continuous vigilance and adaptation to emerging threats remain essential for an effective cybersecurity posture.