Understanding MFA Bypass Attacks

In the world of best cybersecurity practices, multi-factor authentication (MFA) is a crucial defense against cyber threats. However, as security measures evolve, so do the tactics of malicious actors. Enter MFA bypass attacks, a technique used by cybercriminals to undermine the fortified layers MFA provides, gaining unauthorized access to sensitive data and systems. 

Here’s how to protect yourself from the latest cybersecurity threat.

Common MFA Bypass Attack Techniques

1. Token theft

When a user logs into a service (e.g., a website), the service issues a session token after authentication. This token, stored in the user’s browser, acts as proof of an active session, eliminating the need to log in repeatedly.

How attackers exploit token theft:

• Phishing websites: An attacker creates a fake website resembling a legitimate one or forwards the user to the actual website through a phishing website.

1. Authentication interception: The victim enters their credentials and completes MFA (if enabled) on the fake/phishing site.
2. Token capture: Once authentication is complete, the legitimate service issues a session token, which the attacker intercepts.
3. Session hijacking: The attacker uses the stolen session token on their own device, bypassing the need for the victim’s password or MFA.

Attackers can also utilize malware on a compromised device to steal the session token and achieve the same results.

How to protect against this technique:

• Keep devices up to date on patching and install an up-to-date anti-virus.
• Train users on cybersecurity awareness to keep up to date on the current trends.
• Utilize phish-resistant MFA methods (FIODO2, passkeys, certificate-based authentication, etc.)
• Implement anti-spam/phishing mechanisms on your email platform.
• Monitor for anomalous sign-in activity.

2. SIM Swapping

SMS-based MFA relies on text messages to deliver authentication codes. Attackers exploit this by convincing mobile carriers to transfer the victim’s phone number to a new SIM card. Once the number is hijacked, they receive all SMS messages, including MFA codes.

How to protect against this technique:

• Implement additional validation with cell phone carriers when porting a phone number.

3. Credential Stuffing + Weak MFA

Attackers leverage databases of stolen credentials and attempt to log in across multiple platforms. If the platform uses weak or easily guessable backup MFA methods (e.g., security questions or email verification), attackers can bypass robust MFA.

Protect against this technique by: 

• Using unique and complex passwords.
• Avoiding real information on security questions.

4. MFA Bombing

Some MFA systems allow users to approve login attempts via push notifications. Attackers exploit this by repeatedly sending requests to a victim’s device, overwhelming them until they approve the request out of frustration or by mistake.

To protect yourself, only approve MFA requests you can confirm are safe.

5. Social Engineering

Attackers may directly trick users into sharing their MFA codes. This can happen via fake tech support calls, urgent-sounding messages or pretexting scenarios that convince victims to hand over sensitive information.

Never provide MFA information to anyone.

6. Vulnerabilities on Authentication Platform

Attackers can bypass MFA by exploiting weaknesses in the authentication platform itself. If the platform is outdated or contains unpatched vulnerabilities, attackers may manipulate the system to gain unauthorized access without requiring MFA.

Always keep platforms up to date on patching.

Leveraging Microsoft Intune in Microsoft 365 for Enhanced Protection

With most organizations utilizing Microsoft 365 services (e.g., email, OneDrive, etc.), attackers have focused on attempting to compromise users’ accounts. With more organizations enforcing MFA, attackers have been very commonly using the token theft MFA bypass technique to compromise user accounts. 

Microsoft Intune is a device management platform that can help mitigate this type of attack by restricting access to Microsoft 365 services to known trusted devices. It also prevents an attacker from stealing a user’s login sessions by phishing. It does so by not allowing the attacker’s phishing website to authenticate, since it is not a trusted enrolled device.