Hand cover smartphone with username and password screen showing MFA bypass by cyber attackers

Seven Ways Cyber Attackers Bypass MFA – And How To Stop Them

In 2022, identity accelerated to the forefront of the cybersecurity conversation. Identity-based attacks have become a top infiltration method for threat actors as most users toggle between professional and personal activity when it comes to their usage of applications, passwords, and devices. These attacks range in sophistication and scale, but they can all have devastating effects on organizations’ digital environments, business operations, and reputations – all of which can impact the bottom line.

Multi-Factor Authentication (MFA) has rapidly become a common component of identity security, with organizations scrambling to enroll users and their devices in an attempt to curb account takeover. While MFA may be organizations’ preferred digital defense against these attacks, in reality, it is often not enough. As evidenced by the series of high-profile identity-based attacks that seem to make the news every week, even MFA can be circumvented by modern identity attack techniques. Thwarting cyber attackers starts by understanding the seven techniques they rely on to bypass MFA protected users, and responding with a holistic, well-rounded identity security strategy that can fill these gaps.

Threat actors’ top strategies to work around MFA

Typically, identity-based attacks start with social engineering phishing campaigns to trick victims into unwittingly providing their login credentials. Once a username and password are obtained, they then begin applying one of many techniques to get around MFA:

  1. MFA fatigue: Consider how many one-time codes or push notifications a user receives in a week. From checking out from their favorite eCommerce brand to accessing their work email via the cloud, users have been conditioned to simply follow through with MFA instructions when they get an alert on their phone. Many cyber attackers now rely on the fatigue factor to ensure that when they attempt to illegally log into a device, the end user will simply press “allow” on their mobile device when the push notification comes up without questioning it.
  2. MFA flooding: Similar to preying on victims’ MFA fatigue, MFA flooding involves wearing them down through constant push notifications. Eventually, the victim may become so frustrated and tired of the constant alerts that they may finally relent, hitting the “allow” button to get some peace and quiet while the threat actor gets to work causing chaos.
  3. Adversary-in-the-Middle (AiTM) proxy: An AiTM attack involves a cyber criminal intercepting communications between the victim and a legitimate organization. For instance, the attacker can create a login page that looks and operates like an online bank or brokerage’s real single sign on (SSO), causing the victim to willingly enter not only their username and password, but also their one-time code. Alternatively, they could simultaneously receive a push notification after they enter their credentials into the phishing site and, assuming the request originated from their own device, they press “allow.” In reality, the threat actor is simply working behind the scenes, leveraging automation to enter the stolen credentials obtained through the phishing site into the real login page at the same time.
  4. MFA reset: Attackers will often bypass MFA by bypassing the intended victim as well, choosing instead to contact their IT Helpdesk. By pretending to be the victim, they can ask a well-meaning IT Helpdesk technician to reset their account due to a lost device, allowing them to enroll a new factor upon sign-in or act during the generous reset grace period often offered by MFA policies.
  5. Asking nicely: Sometimes, all it takes is a polite and authoritative tone. After spamming the victim with MFA push notifications, attackers will reach out to them by impersonating an IT Helpdesk representative and kindly suggest they either press the “allow” button or share the one-time password so the “IT employee” can resolve the MFA flooding issue for them.
  6. SIM swapping: Through this method, the attacker contacts the victim’s mobile carrier to swap their phone number to a new SIM card in the attacker’s possession. Any six-digit SMS codes will now be sent to the attacker’s personal device, clearing the way for them to bypass MFA.
  7. 0ktapus-style: If cyber criminals are committed and patient enough, they could always “go big or go home” with an 0ktapus-style approach. Named for its victim organization, the 0ktapus phishing campaign that wreaked havoc in 2022 was unprecedented in its scale. Nearly 10,000 Okta login credentials belonging to users at Twilio, Cloudflare, Signal, and more were stolen through an elaborate, months-long phishing campaign. By infiltrating Twilio, attackers were able to intercept account enrollment SMS messages for the secure messaging app, Signal.

Closing the MFA gaps with a proactive identity security program

Once the techniques cyber attackers deploy to bypass MFA are understood, the natural next question is, “How can my organizations fill these gaps?” This is where proactive identity security is critical. A comprehensive proactive identity security program will bring together three capabilities: Identity Attack Surface Mapping, Identity Security Posture Management, and Identity Threat Detection and Response.

Identity Attack Surface Mapping aggregates data from across an organization’s entire digital architecture to discover and analyze the volume of identities within the enterprise. This gives security teams insight into how many identities exist within their population, the demographics of that population, and how it may change over time. Because attack surfaces are in a state of constant change as new identities join and old identities leave organizations, Identity Attack Surface Mapping must be a continuous process.

Taking this a step further, Identity Security Posture Management examines this identity attack surface to locate weaknesses – specifically, accounts that are vulnerable to account takeover. Inactive accounts are equivalent to an unused and unpatched server accumulating dust in a forgotten closet. It’s an easy vector for attackers, made even more vulnerable if the account hasn’t had its password changed recently and lacks second factor configuration. Posture management can locate these weaknesses and then recommend and even implement campaigns to clean them up, essentially patching identities.

Identity Threat Detection and Response (ITDR) picks up where the former two capabilities leave off. No matter how robust a company’s Identity and Access Management (IAM) architecture may be, and regardless of how many preventative measures are taken, in today’s volatile threat landscape something will always get through. IDTR is the last line of defense, working around the clock to detect and respond to suspicious activity that might indicate account takeover is in progress or has taken place.

Bolstering organizational defenses when MFA is bypassed

In the modern workplace, identity has become the new perimeter and cyber attackers are better equipped than ever to cross it by bypassing MFA. Organizations can take immediate action to thwart these techniques. Through a holistic and proactive identity security program, companies can more effectively protect their users and their data to foster long-term business success.