What Is an MFA Bypass? And How to Prevent It

A multi-factor authentication (MFA) bypass occurs when an attacker exploits weaknesses in MFA security controls to gain unauthorized access to an account. In other words, the attacker circumvents (or bypasses) verification steps designed to protect user identities.

MFA enhances security by requiring two or more verification factors before granting access. The first factor involves the user entering their correct login credentials, such as a username and secret password. The second factor requires the user to provide additional verification, which might be a code, a push notification sent to the user's mobile device, or another secure authentication method. Both factors work together to ensure that only authorized users can gain access.

However, there are ways for attackers to bypass MFA. They may use an account takeover method that wouldn't trigger an MFA request. Attackers can also use social engineering tactics to convince the user to authenticate their login attempt.

Although MFA has long been a cornerstone of cybersecurity, MFA bypass techniques have become increasingly frequent and sophisticated. In fact, poorly configured or non-mandatory MFA settings played a significant role in major 2024 attacks, including ransomware incidents at Change Healthcare and credential theft in breaches affecting Snowflake customers.

There are various methods to bypass the MFA. Here is a round-up of some of the attack strategies aimed at the MFA.

• MFA prompt bombing: Many users have their MFA set up to alert their phones. A threat actor can deliver multiple requests to share the MFA. This creates alert fatigue until the user accepts the authentication to stop the requests.

• Using social engineering: Some threat actors may pose as a trusted source—like a customer service representative or an IT employee—to convince a user to share their authentication token. Threat actors may also pose as the user and call the IT help desk to reset credentials.

• SIM swapping: This is a unique form of social engineering where attackers directly contact a target’s mobile carrier, convincing the carrier to port the victim’s phone number from the original SIM card to the SIM card on a device owned by the threat actor. SMS one-time passcodes (OTPs) now flow to the malicious device, allowing attackers access.

• Implementing brute force: Threat actors will take guesses at what the MFA code is during a brute force attack. It's a trial-and-error approach, and they may get locked out if they try guessing too many times.

• Finding accounts not enrolled in MFA: Cybercriminals may try to find accounts that haven't enabled MFA. This way they only need the username and password to access an account. While an organization can require MFA, accounts of new employees or contractors may not have enrolled yet, making them vulnerable entry points.

• Exploiting legacy authentication to bypass MFA: While modern cloud email platforms support MFA, attackers can circumvent this obstacle through older mail protocols and applications such as IMAP or POP, which do not support MFA but still allow access to the cloud email platform.

• Targeting external systems without MFA: Older or unused systems and apps may not have MFA enabled. Threat actors may target these external systems to try and find an access point to an organization's network. For example, the Colonial Pipeline attack was caused by a single password used on a legacy VPN without MFA enabled.

• Manipulating trusted IP addresses: A trusted network, like on-prem wifi at a corporate office, may not ask for an MFA. Threat actors can spoof IP addresses or use a guest network connection to mimic legitimate users.

• Compromising an authenticated session: If the authentic user has already accessed an account, it may not ask for an MFA again while logged in. Cybercriminals can then take advantage of the already authenticated session and pose as the legitimate user.

Attackers have successfully used MFA bypass to break through strong security measures and cause significant damage. Here are some examples of recent attacks:

• Microsoft Entra ID Security Enhancements (2025): Microsoft introduced Conditional Access and risk-based authentication to combat advanced MFA bypass techniques like token theft and session hijacking, reflecting ongoing efforts to strengthen identity security.

• iTM Phishing Campaigns Targeting 10,000+ Organizations (2023–2024): Microsoft reported that adversary-in-the-middle phishing attacks targeted over 10,000 organizations, stealing credentials and session cookies to bypass multi-factor authentication (MFA). These sophisticated campaigns fueled widespread business email compromise (BEC), highlighting the evolving threat landscape.

• Lapsus$ Group MFA Fatigue Tactics (2022–2023): Lapsus$ hackers exploited MFA fatigue by repeatedly calling employees late at night to coerce approval of MFA prompts, demonstrating how social engineering can bypass technical controls. In their official Telegram channel, attackers traded MFA bypass tips and techniques. “No limit is placed on the number of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device,” explained one member.

These high-profile breaches serve as clear reminders that MFA bypass is a real risk to organizations. Learning from these cases can help them anticipate the risks and better protect their most valuable assets.

The key to stopping MFA bypass is proper credential protection. Without valid credentials, attackers hit a wall.

Make strong password policies mandatory. Require regular changes, prohibit reuse, and enforce complexity standards. Unique, hard-to-guess passwords reduce the risk of successful brute force and credential stuffing attacks.

Enforce password hygiene by:

• Setting complexity and length requirements

• Blocking password reuse across systems

• Recommending password managers

• Requiring periodic updates based on risk

Next, disable legacy authentication protocols like IMAP, POP, and basic auth since they can’t support MFA and create easy paths for bypass.

Review conditional access policies for gaps. Overly permissive rules can skip MFA in high-risk scenarios. Align policies with a zero-trust model by limiting access to only what’s necessary for each role.

Improve enforcement with:

• MFA for all privileged and remote access

• Tightened conditional access rules

• Legacy protocol blocks at the directory level

• Least-privilege access tied to job roles

Don’t overlook education. Train employees to treat MFA codes like passwords that they should never share, even under pressure. Conduct security awareness training using real-world scenarios through phishing simulations or tools like the AI phishing coach.

Real-time monitoring helps catch suspicious activity like repeated MFA prompts or unfamiliar login locations. Quick detection allows rapid containment.

Lastly, conduct regular access reviews to prevent privilege creep. Keeping permissions tightly scoped supports zero-trust principles and regulatory compliance.

To learn more about how Abnormal can protect you from account takeovers, schedule a demo today.