While multifactor authentication (MFA) is widely regarded as a robust defense against account takeovers, it is not the end all be all. Security professionals recognize that various techniques—such as session hijacking, social engineering, SIM swapping, and MFA fatigue attacks—can effectively circumvent MFA protections. Tools like Evil Proxy, Modlishka, and Evil Jinx have emerged to automate these bypass methods, highlighting the need for organizations to adopt more comprehensive security strategies and awareness around this subject.
Illustrative Scenario: Bob from Contoso Bank
In one illustrative scenario, we consider an employee, Bob, at Contoso Bank. Bob falls victim to social engineering and is lured to a fake Microsoft 365 login page. While attempting to log in, the malicious tool Evil Jinx acts as a reverse proxy, intercepting his credentials and session cookies. Despite having MFA enabled, Bob unwittingly provides the attacker access to his account as Evil Jinx captures the one-time code sent via SMS or generated by an authentication app. This allows the threat actor to gain full control of Bob’s Microsoft 365 environment, enabling them to conduct further malicious activities without detection.

Attackers can bypass MFA with ease and with their new session they will look to further their activities through their Outlook account and create malicious mail rules to delete all incoming emails and/or move them to another folder to prevent the real Bob from knowing what has happened. This can lead to further business email compromise, attacker monitoring for potential financial transactions, or conducting phishing campaigns against other trusted contacts.
Let’s explore some of the most common MFA bypass techniques in more detail:
MFA Fatigue
MFA fatigue exploits the user interaction for authentication. Users sometimes see these popups on their phone coming from their authenticator app or from a Duo MFA push and may just simply click accept/approve. This happens more than you think and attackers can try to overwhelm users with repeated authentication requests, leveraging compromised usernames and passwords to generate incessant pop-up notifications. Eventually, the user, frustrated by the barrage of requests, may unknowingly approve access, granting the attacker entry.

Token Theft
Token theft is a prevalent technique used to bypass multi-factor authentication (MFA). Once a user successfully authenticates, session cookies are created to facilitate seamless subsequent logins. If an attacker captures these cookies, they can impersonate the legitimate user, effectively bypassing security measures.
How Token Theft Works:
- Initial Compromise: The attacker often begins with phishing, tricking the user into revealing their login credentials.
- Session Cookie Capture: After the user logs in, the attacker employs tools to scrape and capture the session cookie. This cookie, used by web browsers to track user sessions, allows users to remain logged in without needing to re-authenticate for each new page within the same session.
- Cookie Transfer: The attacker transfers the stolen session cookie to a legitimate login page, impersonating the user. This action tricks the browser into believing they are the authenticated user, creating a new session that mirrors the legitimate user’s session.
Access Granted: With the stolen session cookie, the attacker gains unauthorized access to the user’s account, bypassing any MFA protections.

MFA Bypass in Token Theft. Source: eSecurity Planet
Adversary in the Middle Attacks:
Adversary in the middle attacks (formerly known as man in the middle attacks) involve tricking users into clicking malicious links that redirect them to a proxy server controlled by the attacker. This server intercepts communication between the user and the legitimate website, capturing sensitive information, including login credentials and MFA tokens. With this data, attackers can conduct token theft attacks, further compromising security. See Figure 1 and Figure 2.
A high priority is now placed on authentication tokens, leading to a rise in sophisticated tactics to steal them. According to Microsoft’s DART, methods like Adversary-in-the-Middle (AitM) attacks are becoming more common.
Microsoft explains that frameworks like Evilginx extend beyond simple credential phishing. They insert malicious infrastructure between the user and the legitimate application the user intends to access. When the user falls victim to phishing, this malicious infrastructure captures both the user’s credentials and their authentication token.
Given that many organizations allow a hybrid work environment, employees using personal devices to access corporate resources are particularly vulnerable to these attacks. Personal devices are often less secure than corporate-managed devices and lack visibility from IT teams, making it difficult to determine if they have been compromised.
For this reason, its best to not use personal devices for work purposes. Not only does this put corporate data at risk, but it also jeopardizes the security of personal accounts accessed on these devices.
This vulnerability underscores the critical need for robust endpoint protection to prevent malware from compromising session tokens. Attackers are increasingly targeting cookie theft and token interception as methods to bypass security protocols, making it essential to maintain strong defenses and minimize the risk of compromise.
Mitigating Bypass Attacks
To strengthen defenses against these bypass techniques, organizations should implement several key strategies. First and foremost, enabling MFA is essential, but it is not sufficient on its own. To combat MFA fatigue, organizations should set limits on the number of authentication requests before access is granted or eliminate push notifications as a verification method altogether. Users must be vigilant in these types of attacks.
Additionally, incorporating features like number matching can enhance security. With this method, users must enter a code displayed on their browser into their mobile device, ensuring that only legitimate requests are processed.
Fostering a culture of security awareness is crucial. Human error is the biggest contributor to cyber attacks. 91% of all cyber attacks begin with phishing. Users often overlook security protocols and may fall victim to social engineering tactics. Regular training can equip employees with the knowledge to recognize potential threats, such as phishing attempts and the risks associated with compromised credentials.
While MFA is a valuable layer of security, it is not everything. Organizations must remain vigilant and adopt a defense in depth approach to security that addresses the evolving tactics of cybercriminals. By implementing robust defenses and promoting security awareness, businesses can significantly reduce the risk of account takeovers and other malicious activities.