Ask A Guardian, Cybersecurity, Multifactor authentication

How To Bypass Multifactor Authentication (It’s Easy)

Table of Contents

Not all multi-factor authentication (MFA) can offer the same level protection against different types of cyber-attacks. So, we’ve created this blog to show you how easy it is to bypass multifactor authentication.

MFA requires users to provide two or more forms of identity verification before gaining access to a system or account. It is an additional layer of security which goes beyond a username and password, which are easily exploited by attackers, as people tend to reuse or have weak passwords.

Despite the benefits of MFA, adoption varies significantly. While over half of businesses worldwide implement some form of MFA, only 4% utilise phishing-resistant MFA, which provides a stronger defence against sophisticated attacks.

What is multifactor authentication?

MFA can take the form of something a user knows (password), something they have (hardware token or phone) or something they are (biometrics or facial recognition). This additional layer of verification can significantly decrease the likelihood of malicious actors gaining unauthorised access to your systems or accounts. Even in cases where credentials are compromised.

Sounds secure, right? Watch our ‘How to Bypass Multifactor Authentication’ video to see how hackers can easily bypass MFA protocols and, more importantly, learn how to protect yourself from this type of attack. This attack is based around the Microsoft login page.

 

What is a Man-in-the-Middle attack?

A Man-in-the-Middle (MitM) attack is a type of cyber-attack where a hacker secretly intercepts and relays messages between two parties who think they are communicating directly with each other.

What is an Adversary-in-the-Middle attack?

An Adversary-in-the-Middle attack (AitM) is like a MitM attack. The key difference here is that the hacker actively inserts themselves into the communication channel, often posing as one of the legitimate parties.

The goal of both these attacks is to gain unauthorised access to sensitive information by infiltrating a communication flow. Once successfully orchestrated, the attack can steal log in credentials, inject malicious code into transmitted data, and gain insight into confidential conversations.

According to the Verizon’s 2023 Data Breach Investigation Report, 74% of breaches had a human element, meaning humans were either total or part of the reason for the breach. With this in mind, we need to make sure we are providing our people with the tools they need to protect themselves, and their organisation from potentially devastating attacks.

Common techniques used in MitM attacks:

  • ARP Spoofing: The Address Resolution Protocol (ARP) cache of a target network is manipulated, redirecting traffic intended for one device to their own machine.
  • DNS Spoofing: By tampering with Domain Name System (DNS) responses, the attacker redirects legitimate domain names to malicious IP addresses, leading users to fake websites.
  • Wi-Fi Eavesdropping: Wi-Fi networks are exploited to intercept and capture data transmitted between devices and the network, allowing them to eavesdrop on sensitive information.
  • SSL Stripping: Hackers downgrade secure HTTPS connections to unencrypted HTTP connections, intercepting and manipulating data exchanged between the user and the server.
  • Session Hijacking: A user’s session cookie or token is stolen, allowing attackers to impersonate the user and gain unauthorised access to their accounts or sessions.

Common techniques used in AitM attacks:

  • Social Engineering: Manipulation tactics to trick users or administrators into granting them access to sensitive systems or information.
  • Credential Phishing: Fake login pages or emails are created to deceive users into sharing their usernames, passwords, or other authentication credentials.
  • Malware Injection: Malicious code is injected into legitimate websites or software to capture sensitive data or control the victim’s device remotely.
  • Compromised Devices: Vulnerabilities in routers, switches, or other network devices are exploited to intercept and manipulate data passing through them.
  • DNS Hijacking: Adversaries infiltrate DNS servers or tamper with DNS configurations to reroute users to malicious websites or servers under their control.

Advice from CloudGuard SOC

Always verify the address bar before entering credentials on any login page. For Microsoft, ensure it’s login.microsoftonline.com. Adversary-in-the-middle attacks are gaining traction, so staying ahead of them is important.

This is one of advantages of having a 24/7 managed SOC. Our external team detected and responded to the threat quickly, mitigating potential damage. If you manage your SIEM internally, and this type of attack occurs outside of businesses hours or without our level of expertise, the repercussions can be far more severe. Even if picked up only an hour later.

Atif Chaudry, SOC Analyst, CloudGuard

How to bypass multifactor authentication – our scenarios

We have captured a real-time demonstration showcasing the vulnerability of multi-factor authentication to phishing attacks.

We’ve created a scenario involving three characters: Alice, Mallory, and Bob. Alice, our unsuspecting victim, uses strong security measures, including a 128-character password and push-based MFA. Despite these precautions, her account remains susceptible to exploitation.

Mallory, the cybercriminal orchestrates a phishing attack by setting up a deceptive domain that mimics her company’s Microsoft login page. When Alice clicks the phishing link, Mallory’s server captures her credentials and authenticated session cookie.

Armed with this information, Mallory bypasses the MFA prompts and gains unauthorised access to Alice’s account. By injecting the captured session cookie into his browser, Mallory successfully impersonates Alice and accesses sensitive information in  Microsoft Azure.

It’s not all bad though. We then demonstrate how this attack could have been prevented using a phishing-resistant method, such as a web authentication FIDO2 key. This MFA method is specifically designed to prevent such attacks.

Finals thoughts on ‘how to bypass MFA’

Multi-factor authentication is an important defence against various cyber threats, yet not all MFA methods offer equal protection. While it adds an extra layer of security to your accounts beyond passwords, it’s important to also acknowledge its limitations.

Man-in-the-Middle and Adversary-in-the-Middle attacks use specific tactics to exploit vulnerabilities within MFA. These attacks aim to intercept communication, steal credentials, and manipulate data.

Our real-time scenario showcases how even security measures, like MFA, can be bypassed by phishing attacks. The best defence is implementing advanced MFA methods, such as FIDO 2, to reduce the risk of a successful attack.

We hope you’ve found ‘How to Bypass Multifactor Authentication’ insightful. If you want to learn more about protecting yourself or your organisation from these types of threats, reach out to the CloudGuard team.

5 FIDO-supported authentication providers

  • Microsoft Entra
  • Okta Workforce Identity
  • Yubico YubiKey
  • Google Cloud
  • Thales SafeNet Trusted Access
Author: Matt Lovell
Share:
Author: Matt Lovell
Share:

Related Resources

two men talking on a podcast posted on linkedin with a red arrow pointing towards a deepfake
Why Social Engineering Always Works: How Hackers Use Phishing & Deepfakes
We’ve all done the training, so why are attackers still getting through? Attackers no longer rely on bad spelling or suspicious links, they use AI-generated deepfakes and psychological profiling to manipulate people with astonishing precision. By exploiting the brain’s emergency response system, they trigger fear, urgency, or authority to override...
Dark purple background with claude logo and words pro, team and enterprise.
Claude Business Security: Choosing the Right Account for SMBs
When I shared my last article, a few people got in touch asking for a more practical follow-up, specifically around how small teams can use Claude Pro without putting business data at risk. This piece goes step by step through exactly that. Understand what you’re actually adopting Claude Pro is...
Two analysts looking surprised. Purple cyber background with phishing hook.
What Happens After a Phishing Attack? A Real Microsoft 365 Incident Walkthrough
If your organisation thinks a password reset or MFA alone are enough, think again. In this phishing attack breakdown by CloudGuard’s SOC team, Conor and Jon reveal the reality behind an actual breach involving a UK law firm, exposing how hackers use four methods to regain access long after initial...
purple background with computer that says threat from the field in cartoon like design
Cyber Threat Trends Q1 2026: Data Theft, AI Attacks and Emerging Risks
Executive Summary Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next.  The first quarter of 2026 has been intense. The UK threat picture is not defined by one single...
Microsoft Defender for Cloud
Microsoft Defender for Cloud Cloud environments change fast. New workloads, new services and new risks appear daily, often without full visibility or clear ownership. Microsoft Defender for Cloud provides continuous assessment across Azure, hybrid and multi-cloud environments to help organisations understand and reduce cloud security risk. CloudGuard ensures your cloud...
Woman looking at tablet with cyber imagery across the top.
The Limitations of External Penetration Testing (And What to Do About Them)
Core argument  Traditional internal penetration tests gives executives false confidence because it’s typically scope-limited, scheduled, doesn’t reflect real attacker behaviour and ignores the AI threats with user access. Would you feel comfortable boarding a plane if the pilot had practised emergency landings but had never actually simulated an engine failure?  So, why do businesses specifically exclude their...
CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Image of man with half blue face on left and half red face on right. ÂŁ20 notes falling in the background.
Date | Time: 24/03/2026 | 12:00 pm
[On Demand] The AI-Enabled Insider Threat: When Trusted Access Becomes Competitive Advantage
Your most trusted employees can now distil years of institutional knowledge in days, sometimes without realising the risk they’re creating. Insider risk has fundamentally changed. We’re past the days of someone copying files onto a USB stick. Today, trusted employees are using AI tools to summarise reports, analyse strategy documents,...
Continuous Security Validation: How to Prove Your Cybersecurity Controls Actually Work
Core argument CISOs are increasingly measured not by the security they implement, but by the breaches they fail to prevent. Most cybersecurity investments create a false sense of protection because they’re never truly tested under realistic conditions.  Zero trust applied new controls but the new wave of Agentic AI solutions will fundamentally...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.