Most organizations have rolled out multi-factor authentication across their systems. It’s protecting email accounts, VPNs, and cloud applications everywhere, and it’s doing a great job. MFA blocks the vast majority of automated attacks that rely on stolen passwords.
But attackers haven’t given up. They’ve moved away from trying to crack MFA technically and started targeting the humans who use it instead.
Notification Fatigue as a Weapon
MFA bombing has become one of the most successful bypass techniques. Attackers first get hold of usernames and passwords through data breaches, phishing campaigns, or credential stuffing attacks. Instead of trying to crack the second factor, they repeatedly attempt to log in.
Each login attempt triggers an MFA notification on the victim’s phone. After dozens or hundreds of notifications, many users will eventually approve one out of frustration or confusion. Some think approving it will make the notifications stop.
The LAPSUS$ hacking group perfected this approach during their 2022 attacks on major tech companies. When they targeted Uber, they didn’t just rely on user fatigue. One attacker called the victim pretending to be from Uber’s IT department and convinced them to approve the MFA request. The social engineering element made the technical bypass much more effective.
Apple users have experienced this firsthand, with victims’ devices flooded with password reset prompts. The sheer volume of notifications made it nearly impossible to use their phones normally, creating pressure to approve a request just to regain functionality.
Phone Numbers Aren’t Secure Identifiers
SMS-based MFA seems convenient because everyone carries a phone. But phone numbers can be hijacked through SIM swapping attacks, and the technique has become surprisingly common. The FBI tracked a dramatic increase in these attacks, with losses jumping from $12 million across 320 incidents between 2018-2020 to $68 million across 1,611 incidents in 2021 alone.
SIM swapping works through social engineering rather than technical exploitation. Criminals research their targets using social media, data breaches, and public records to gather personal information. Then they call the victim’s mobile carrier, impersonate the account holder, and request that the phone number be moved to a new SIM card they control.
Mobile carriers use various verification methods to prevent unauthorized transfers, but these often rely on information that’s already been compromised in previous breaches. Answering questions about previous addresses, partial Social Security numbers, or account PINs becomes trivial when that data is available on the dark web.
Once attackers control the phone number, they can intercept SMS codes for password resets and two-factor authentication. They don’t need physical access to the victim’s device because they’ve essentially cloned their phone number.
Phishing Gets Personalized
Modern phishing campaigns targeting MFA bypass have become highly advanced. Instead of mass-distributed generic emails, criminals now conduct detailed reconnaissance on specific targets and craft personalized messages that are much harder to identify as malicious.
Spear phishing attacks incorporate details from LinkedIn profiles, company websites, and social media to create convincing scenarios. When someone receives an email that references their specific job title, recent projects, or colleagues by name, it feels legitimate even when it isn’t.
A campaign that surfaced in early 2024 targeting Microsoft ADFS shows how far this personalization has gone. BleepingComputer reported that attackers created phishing pages that dynamically adapted to each organization’s specific MFA setup. If your company uses authenticator apps, the fake page prompts for an authenticator code. If you use push notifications, it instructs you to approve the expected prompt.
This level of customization makes the fake login process nearly indistinguishable from the authentic one. Users enter their credentials and MFA code thinking they’re logging into their company’s official portal, but actually hand over their login details to criminals.
Session Hijacking Bypasses Authentication Entirely
Traditional phishing tried to steal passwords and hope MFA wasn’t enabled. Modern attacks target the session tokens that prove authentication has already happened successfully.
Man-in-the-middle attacks place a malicious server between the user and the actual service. When victims think they’re logging into their company portal, they’re actually connecting to the attacker’s server, which then proxies their connection to the genuine site.
What Attackers Capture in Session Hijacking
- User passwords and MFA codes during the initial login
- Session cookies that browsers use to maintain authenticated sessions
- Authentication tokens that prove successful verification
- Access to ongoing communications between user and legitimate service
Tools like Evilginx have made these attacks accessible to criminals without advanced technical skills. The result is that even strong MFA implementation can be bypassed if attackers can steal and replay the session tokens generated after successful authentication.
Humans are Still the Weakest Link
These bypass techniques succeed because they exploit human psychology rather than technical weaknesses in MFA systems. The technology works as designed, but people can be manipulated into defeating their own security controls.
Microsoft’s research shows that MFA blocks 99.9% of automated attacks on accounts. The problem is that the small percentage that get through tend to be targeted attacks that generate media attention and create the false impression that MFA doesn’t work.
MFA remains highly effective against volume attacks that rely on automation. Criminals who use automated tools to break into thousands of accounts with stolen password lists will be stopped by MFA almost every time. But determined attackers who research specific targets and craft personalized campaigns can often find ways around it.
Building More Resilient Defenses
Understanding these weaknesses doesn’t mean abandoning MFA. Instead, it means implementing it more thoughtfully and layering additional protections around it.
Moving away from SMS-based MFA eliminates the SIM swapping risk entirely. Authenticator apps generate codes locally on the device, making them much harder to intercept. Hardware security keys provide even stronger protection because they use cryptographic protocols that are resistant to phishing and man-in-the-middle attacks.
Implementation Steps
- Implement number matching to prevent generic notification approvals
- Set rate limits on authentication attempts to prevent notification flooding
- Configure session timeouts and re-authentication requirements for sensitive actions
- Deploy monitoring systems that can detect unusual login activity
User education remains critical, but it needs to focus on specific attack patterns rather than generic security awareness. Employees should understand what MFA bombing looks like, know never to approve unexpected authentication requests, and have clear procedures for reporting suspicious activity.
Monitoring and alerting systems can identify suspicious authentication patterns and enable quick response when attacks are detected. The faster organizations can identify and respond to bypass attempts, the better chance they have of preventing successful compromises.
MFA as Part of a Broader Strategy
These vulnerabilities highlight why security works best as a layered approach rather than relying on any single control. MFA significantly improves security, but it needs to be part of a complete security program that includes strong endpoint protection, network monitoring, and incident response capabilities.
Organizations that experience breaches despite having MFA often have gaps in these other areas that attackers exploit once they gain initial access. The organizations most at risk are usually those without MFA at all, or those with poorly implemented versions that don’t account for modern attack techniques.
Security requires continuous adaptation as attack methods change. Understanding how attackers bypass MFA today helps organizations build more resilient defenses, but the human element will always require attention and training to remain effective.
