Home / Insights / MFA Bypass & Compromised Credentials
Guide Cybersecurity

Beyond the Password: How Attackers Bypass MFA and How to Stop Them

Adversary-in-the-middle proxies complete your authentication in real time, then walk away with the session token. Stolen credentials drive the majority of initial access in enterprise breaches. This guide covers how each bypass technique works and which controls close the gaps.

C
Cyvra Research
Cybersecurity Intelligence
4 June 2026
12 min read
Key Takeaways
  • Stolen credentials drive initial access in over 80% of enterprise breaches (Verizon DBIR). Adversary-in-the-middle attacks have widened that gap, not narrowed it.
  • AiTM proxy attacks relay your credentials and MFA challenge to the real login service, capture the session token, and return a normal successful login. TOTP and push notifications provide no protection.
  • FIDO2 passkeys and hardware security keys stop AiTM attacks because the cryptographic challenge is bound to the exact origin URL. A phishing domain gets a different challenge and can sign nothing.
  • Pass-the-cookie attacks replay stolen session tokens with no credentials required. Token lifetime policies, Conditional Access device compliance, and CAE are the primary controls.
  • MFA fatigue attacks send push notifications in rapid succession until a user approves one to make them stop. Number matching prevents this: the user must type a number shown on the login screen, so automatic tapping does nothing.
  • Credential defence requires phishing-resistant MFA on privileged accounts, Conditional Access with device compliance, short token lifetimes, and alerts on impossible travel and first-seen device sign-ins.

Credentials are the primary breach vector

Enterprise breach reporting through the 2010s centred on malware: ransomware groups, nation-state implants, zero-day exploits. Attackers have since shifted to credential theft. It is cheaper, faster, and harder to detect. A legitimate account signing in through an authorised identity provider looks like a normal login to most monitoring systems.

The Verizon DBIR puts stolen credentials in over 80% of hacking-related breaches. The supply is enormous: HaveIBeenPwned indexes over 13 billion breached accounts from hundreds of historical breaches. Stuffing tools test these at scale with request throttling and IP rotation to avoid rate-limiting.

MFA stops credential stuffing and most automated attacks. Attackers adapted. A subset now targets the authentication session rather than the credentials, and TOTP or push notifications offer no protection against those attacks.

80%+
of hacking-related breaches involve stolen credentials (Verizon DBIR)
13B+
breached credentials indexed by HaveIBeenPwned from historical data breaches
3x
increase in AiTM phishing attacks targeting Microsoft 365 tenants between 2022 and 2024

Six bypass methods

Credential attacks differ by what they target and how they succeed. A control that stops credential stuffing may do nothing against session token theft.

🕸
1. Adversary-in-the-Middle (AiTM) proxy
High Risk
The attacker deploys a reverse proxy (EvilGinx2, Modlishka) at a phishing domain. The user enters credentials and completes the MFA challenge as normal. The proxy forwards everything to the real login service in real time, captures the session cookie the real site returns, and relays the successful login page back. The user sees nothing wrong. The attacker holds a valid session token with no further use for the credentials or MFA at all. Stopped by: FIDO2 phishing-resistant MFA (origin-bound cryptographic challenge fails on the phishing domain). Partially mitigated by: Conditional Access device compliance, CAE, short session lifetime.
🍪
2. Pass-the-cookie / session token replay
High Risk
Infostealers such as Redline and Vidar extract session tokens from browser memory, local storage, or browser profiles on a compromised device. The attacker imports the token into their own browser and replays the authenticated session. No credentials. No MFA. This works against any MFA factor for as long as the token remains valid. Stopped by: short session lifetimes, Conditional Access with device compliance (binds session to managed device), Continuous Access Evaluation (CAE) which revokes tokens in near real time when risk signals appear, and impossible travel alerts in access logs.
🔔
3. MFA fatigue (push bombing)
Medium Risk
The attacker has valid credentials and fires repeated push notifications to the target's phone. Uber's 2022 breach began this way: a contractor received notification after notification and approved one to make them stop. The attacker was inside within minutes. Mitigated by: enabling number matching in authenticator push notifications (user must type the number shown on the login screen, making automatic tapping useless), adding context to push notifications, and limiting push attempts per session.
📱
4. SIM swapping
Medium Risk
The attacker calls the target's mobile carrier, impersonates them using social engineering or stolen personal data, and redirects the phone number to a SIM they control. Every SMS code goes to the attacker. This matters most where SMS is the only MFA option. Enterprise environments that already use authenticator apps face limited exposure. Mitigated by: replacing SMS with authenticator apps or FIDO2. If SMS cannot be removed, carrier PIN codes or account lockdown features reduce the risk.
🤖
5. Credential stuffing at scale
Medium Risk
Automated tools test breached credential pairs against target services at scale. Most fail against accounts with unique passwords and MFA. The ones that succeed exploit reuse: a forum breach from 2019 still opens a company Microsoft 365 tenant if the user never changed the password. Accounts without MFA are the primary target. Stopped by: MFA on all accounts, password breach monitoring (Entra ID Identity Protection includes HIBP integration), and Conditional Access blocking legacy authentication protocols that skip MFA challenges.
🔑
6. OAuth consent phishing
Medium Risk
The attacker registers a malicious OAuth application and sends the target a link. The user logs in through their real Microsoft 365 or Google account, completes MFA, and approves what looks like a routine permissions dialog. The attacker's application now has persistent delegated access to email, files, or contacts. Changing the password removes nothing. The consent grant persists until an administrator revokes it. Mitigated by: Entra ID app consent policies that block unverified applications, restricting user consent to pre-approved applications, and monitoring the tenant audit log for new OAuth grants.

What each MFA type actually stops

MFA factor choice determines the attack surface. SMS OTP and push notifications stop credential stuffing. Neither stops a real-time AiTM attack. Knowing where each factor's protection ends tells you which to upgrade first.

MFA Type
Credential Stuffing
AiTM Proxy
Session Replay
SMS OTP
Stops
Bypassed
Bypassed
TOTP (Authenticator app)
Stops
Bypassed
Bypassed
Push + number match
Stops
Bypassed
Bypassed
FIDO2 / Passkey
Stops
Stops
Partial*

* FIDO2 stops AiTM at authentication but does not protect session tokens after a legitimate login. Device compliance and CAE are required for post-authentication session security.

What makes FIDO2 different

TOTP codes, push approvals, and SMS messages all share one property: they can be forwarded. The user completes the challenge and the proxy relays it. The session opens. The proxy takes the cookie.

FIDO2 works differently. The private key lives on the device and never leaves it. The browser signs a challenge that includes the requesting origin URL. A phishing domain at login-microsoft-365.com gets a challenge stamped with that domain. The browser compares it to the registered origin, login.microsoft.com, and refuses to sign. The proxy gets nothing to forward.

NIST SP 800-63B classifies FIDO2 as phishing-resistant for exactly this reason. Both CISA and NCSC recommend it for high-value accounts.

A note on push MFA

A user who receives repeated push requests may approve one just to stop the noise. Microsoft's data shows number matching cuts approval rates during push bombing by over 99%. If you use push MFA, enabling it is a free configuration change that removes almost all successful MFA fatigue attacks.

Defending against session-layer attacks

Session token theft happens after authentication. The controls that matter here act on token lifetime and device binding, not on the login itself.

Token lifetime policies

Long-lived access tokens give an attacker time to use a stolen session. Entra ID token lifetime policies shrink that window for sensitive applications, but shorter sessions mean more frequent re-authentication. Continuous Access Evaluation (CAE) solves both for supported apps: it revokes tokens in near real time when Entra ID detects a risk event, such as an impossible travel sign-in or a reported compromise.

Device binding through Conditional Access

Conditional Access with device compliance checks that the session's originating device is enrolled and managed. An attacker replaying a stolen token from an unmanaged machine fails the compliance check and gets blocked. Stolen tokens stop working against applications that enforce this policy.

Monitoring for token anomalies

Impossible travel alerts catch sign-ins from locations that are physically incompatible. A user who authenticated in Amsterdam at 09:00 cannot also sign in from Moscow at 09:15. Entra ID Identity Protection and Microsoft Sentinel both surface these detections. Wire them to automated responses: session revocation, forced re-authentication, or an alert to the security team.

Start with privileged accounts

Phishing-resistant MFA delivers its highest value on the accounts that carry the most access. Administrative accounts, elevated service accounts, finance staff, and board members make up a small fraction of your users but account for most of the damage a successful credential attack can do.

Rolling out FIDO2 across a large organisation takes time: device distribution, user training, policy rollout. The 20 accounts that matter most can be covered in days. Start with Conditional Access policies requiring phishing-resistant authentication for privileged role access, and PIM to prevent administrative roles from sitting permanently active.

TOTP-protected admin accounts are the prize target in AiTM campaigns. The credential, the MFA code, and the session token all flow through the same proxy. FIDO2 breaks that chain: the key never leaves the device, the signature never matches a phishing domain.

Seven controls to implement now

  • Enable number matching on all push MFA: a free Authenticator setting that stops push bombing.
  • Block legacy authentication protocols: SMTP AUTH, POP3, IMAP, and older Office clients bypass MFA and are the most common credential stuffing path.
  • Enforce phishing-resistant MFA for privileged accounts: Conditional Access authentication strength policies can require FIDO2 for administrative roles today.
  • Enable Entra ID Identity Protection: real-time risk scoring for sign-ins, leaked credential detection via HIBP, and automated response policies.
  • Configure Continuous Access Evaluation: it revokes Microsoft 365 tokens in near real time when Entra ID detects a risk event.
  • Restrict OAuth application consent: set tenant-wide consent policies in Entra ID to block users from approving unverified third-party apps.
  • Monitor impossible travel and new device sign-ins: configure alerting rules so anomalous session patterns trigger immediate notification or automated revocation.

Common questions

What is an adversary-in-the-middle attack?

An AiTM attack runs a reverse proxy between the user and the real login page. The user visits a phishing URL, enters credentials, and completes the MFA challenge. The proxy forwards all of it to the real site in real time, collects the session cookie, and holds a valid token with no further need for the user's password or MFA code. Tools like EvilGinx2 and Modlishka automate this. TOTP and push MFA both fail here because the authentication completes legitimately through the proxy.

Does FIDO2 stop adversary-in-the-middle attacks?

FIDO2 passkeys and hardware security keys are bound to the origin URL at registration. A passkey registered on login.microsoft.com will not sign a challenge from a lookalike domain: the browser checks the origin and refuses. NIST classifies FIDO2 as phishing-resistant for this reason; TOTP gets no such classification. One limit: FIDO2 does not protect session tokens after a legitimate login. Device compliance and Continuous Access Evaluation handle that separately.

How do I enforce phishing-resistant MFA in Microsoft 365?

In Microsoft Entra ID, go to Security, Authentication Methods, Authentication Strengths. Create a custom strength policy requiring passkey (FIDO2) or Windows Hello for Business. Create a Conditional Access policy applying that strength to your most sensitive applications or to all users. For privileged accounts, make this unconditional. Users without a hardware security key can use Microsoft Authenticator with passkey support as the FIDO2 authenticator.

What is the difference between credential stuffing and a targeted AiTM attack?

Credential stuffing is automated and untargeted. Attackers run breached username-password lists against common services at scale, exploiting password reuse. Unique passwords and MFA stop most of it. An AiTM attack is targeted and active: the attacker phishes a specific user, runs a proxy to intercept the authentication session in real time, and walks away with a valid session token. MFA offers no protection here; countering it requires phishing-resistant authentication or session anomaly detection.

Identity Security Assessment

Find out if your MFA can be bypassed

We test your Conditional Access policies, authentication strength configuration, and session controls against current AiTM and credential attack techniques and give you a prioritised fix list.

Request an Assessment Explore Cybersecurity Services