You Turned MFA On. Attackers Already Have Three Ways Around It.

-


Thought Leadership Credential Risk
May 2026  ·  8 min read

In Q3 2025, 32% of organizations hit by ransomware had MFA deployed — and 41% of those were breached anyway via MFA bypass. MFA is necessary. It's no longer sufficient. Here are the three routes attackers are using to get around it, and what actually stops them.

On the night of September 15, 2022, an Uber contractor started receiving push notifications on their phone. A second-factor authentication request — the kind their MFA setup had been sending them for years. They declined it. Another one appeared. They declined again. For over an hour, notifications arrived every few minutes. Exhausted, assuming it was a system glitch, they finally tapped Approve.

Within minutes, the attacker had access to Uber's internal systems, Slack, and source code repositories. The MFA worked exactly as designed. The human didn't.

This is the story most businesses don't know about MFA. It's not a story about MFA failing. It's a story about attackers learning to route around it — using the human being holding the phone, the architecture of the authentication session, or the inconsistency of how MFA gets deployed in real organizations. And in 2026, all three routes are more refined, more automated, and more widely used than ever before.

32% of ransomware victims in Q3 2025 had MFA deployed — and still got breached Surefire Cyber Q3 2025 Ransomware Report
41% of those MFA-protected organizations experienced MFA bypass — up from 32% the prior quarter Surefire Cyber Q3 2025 Ransomware Report
64% of MFA bypass in BEC incidents used adversary-in-the-middle attacks Surefire Cyber / Obsidian Security 2025
MFA doesn't get cracked. It gets routed around. Attackers don't break the cryptography — they attack the human moment, the session layer, or the deployment gap. Understanding which route is being used against you is the difference between security and false confidence.

The three routes attackers use to bypass your MFA

😴

Route 1 — MFA Fatigue (Push Bombing)

Attacks the human, not the technology.
Most recognized

The attacker already has your employee's valid username and password — purchased from a breach database, obtained through phishing, or stolen by infostealer malware. They feed those credentials into an automated authentication loop. Every failed login attempt triggers a new push notification on your employee's device. The attacker runs this loop continuously — dozens, sometimes hundreds of times — timed deliberately for midnight to 5am, or weekends, when cognitive resistance is lowest.

The goal isn't to trick the employee. The goal is exhaustion. Decision fatigue. The notification that finally gets approved not because the employee was fooled but because they wanted the phone to stop buzzing.

The Uber case — documented 2022 An attacker contacted the contractor via WhatsApp, claiming to be IT support and explaining the notifications were routine maintenance. After over an hour of notifications, the contractor approved one. The attacker had Uber's internal network within minutes. Lapsus$ used the same technique against Microsoft, Okta, and Nvidia in the same period.

What stops it: Number matching — requiring employees to enter a specific code from the login screen into the push notification, rather than simply tapping Approve. This breaks the automation loop. Microsoft and most major identity providers support it as a setting. CISA now explicitly recommends it as the minimum standard for push-based MFA.

🪞

Route 2 — Adversary-in-the-Middle (AiTM) Proxy Attacks

The employee completes MFA correctly — the attacker wins anyway.
Up 146% last year

The attacker sets up a reverse proxy between your employee and your legitimate login service. The employee is directed to what appears to be the real Microsoft, Google, or Okta login page. They enter their real password. They complete the real MFA challenge. Everything works exactly as expected.

But every interaction is being relayed through attacker-controlled infrastructure. The moment the legitimate service issues a session cookie — proving authentication is complete — the attacker captures it. They can now access the account as if they were the authenticated user, without triggering MFA again. Authentication already happened.

Why this is different from old-school phishing Traditional phishing stole your password. AiTM steals your authenticated session. Changing your password after an AiTM attack doesn't help — the attacker's session token remains valid until it expires. AiTM accounts for 64% of MFA bypass in BEC incidents. Eleven commercial phishing kits automate AiTM attacks. Nearly 40,000 AiTM incidents are detected daily globally.

What stops it: Phishing-resistant MFA — specifically FIDO2 security keys or passkeys, where the second factor is cryptographically bound to the specific domain being authenticated. A FIDO2 key won't authenticate to a proxy because the proxy domain doesn't match. CISA explicitly calls FIDO2 the gold standard.

🕳️

Route 3 — The Deployment Gap

Attacks your implementation, not your technology.
Most common in ransomware

This one isn't glamorous. It exploits the gap between the MFA policy that exists on paper and the MFA coverage that actually exists across your systems. Most MFA failures in ransomware incidents stem from misconfiguration — MFA policies applied inconsistently, leaving specific pathways completely unprotected.

You enabled MFA on Office 365. But the legacy email protocol — IMAP or POP3 — doesn't support MFA and was never disabled. The attacker uses the legacy protocol. Your MFA never fires. Or admin accounts were set up before the policy and quietly exempted. Or MFA covers the primary login but not the VPN, remote desktop gateway, or cloud storage tool.

The numbers behind the gap In Q3 2025, the majority of MFA bypass in ransomware incidents came not from sophisticated AiTM attacks but from basic misconfiguration — legacy protocols left enabled, incomplete coverage across user groups, and admin accounts exempted from policy. Partial MFA is treated as no MFA by attackers who scan for uncovered paths systematically.

What stops it: A complete MFA coverage audit — every system, every user, every access method. Legacy protocols explicitly blocked. Admin accounts included without exception. Third-party SaaS tools audited. The gap-finding is manual and tedious, but it's the highest-return security action available to most SMBs right now.

The most alarming finding from Q3 2025 ransomware data: most MFA failures weren't from sophisticated attacks requiring technical expertise. They were from basic misconfiguration — inconsistent coverage, legacy protocols, and exempted accounts. Attackers don't need AI to bypass your MFA if you've left a door open by accident. They just need a scanner that finds it before you do.

The MFA you have vs. the MFA that actually protects you

Not all MFA is equal — and the type you've deployed matters as much as whether you've deployed it.

📱

SMS / Text message codes

Vulnerable to SIM swapping — attacker convinces your carrier to transfer your number to their device. CISA recommends moving away from SMS-based MFA. Still better than nothing. Not resistant to determined attackers.

🔔

Push notifications (Approve/Deny)

Vulnerable to MFA fatigue and push bombing. Significantly improved by number matching. Without number matching, push notifications are the weakest common MFA form deployed at scale.

🔢

TOTP apps (Authenticator codes)

Resistant to push bombing. Vulnerable to AiTM proxy attacks — the code can be relayed in real time before it expires. Better than SMS or push. Not phishing-resistant.

🔑

FIDO2 security keys / Passkeys

The gold standard. Cryptographically bound to the specific domain. AiTM proxies cannot relay FIDO2 authentication because the proxy domain doesn't match. CISA's highest recommendation. Phishing-resistant.

What MFA actually needs to work in 2026

  • Enable number matching on all push-based MFA. Single configuration change. Defeats push bombing without new hardware or cost. Most businesses haven't turned it on.
  • Audit your legacy protocol exposure. Identify every access method that bypasses your MFA policy — legacy email protocols, older VPN configurations, any application authenticating separately from your main identity provider. Block every path that doesn't enforce MFA.
  • Include every account without exception. Admin accounts, service accounts, IT staff, contractors. Attackers specifically look for the highest-privilege accounts exempted from policy during rollout. Those cause catastrophic breaches.
  • Move toward FIDO2 for your highest-risk accounts. Your admin accounts, finance team, and anyone with access to sensitive client data should be on phishing-resistant MFA as soon as possible. Hardware security keys are inexpensive. AiTM attacks don't work against them.
  • Monitor post-authentication behavior. MFA confirms identity at login. It says nothing about what happens after. An attacker with a valid AiTM-captured session looks like a legitimate authenticated user. Behavioral anomaly detection catches them in the session, not at the login prompt.
Platforms like Veriti Spottr identify the external signals that precede MFA bypass — exposed credentials in breach databases, legacy protocols still accessible, admin accounts visible from the outside that attackers will target first. The attack doesn't start when they bypass your MFA. It starts when they find your credentials and your gaps. That's the window where visibility matters most.

MFA is table stakes. It's not the whole game.

Turning on MFA was the right decision. In 2026 it remains one of the most important security controls any small business can deploy. That hasn't changed.

What has changed is the threat. Attackers have spent years studying MFA deployments, identifying the gaps, and building automation specifically designed to route around the human interface, the session architecture, and the implementation inconsistencies that most organizations leave in place after rollout.

The Uber contractor who kept declining push notifications for an hour wasn't careless. They were human. And "human" is now the attack surface. The question isn't whether your MFA is turned on. It's whether it's configured to survive contact with an attacker who has studied exactly how to get around it.

See what attackers see before they target your MFA — exposed credentials, legacy protocols, and coverage gaps. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more