Multi-factor authentication has been the default security recommendation for years. "Enable MFA" appears in every hardening guide, every compliance framework, and every incident post-mortem. And for good reason: MFA blocks the vast majority of credential-stuffing and password-spray attacks. But in 2022, the threat landscape shifted. Attackers are no longer trying to guess your password. They are coming for your second factor directly.

Over the past twelve months, our red team engagements have shown a sharp increase in MFA bypass success rates. The techniques are not theoretical. They are being used in the wild by financially motivated threat actors and access brokers, and they are working against organizations that believed MFA made them safe.

MFA Fatigue: The Push-Bombing Problem

The most widespread bypass technique of 2022 is also the simplest: MFA fatigue, also called push-bombing. The attacker obtains a valid username and password, typically through credential stuffing or a phishing page, then initiates a login. The victim's phone lights up with a push notification asking them to approve the sign-in. Most people deny it. But when the attacker sends a second, third, tenth, or fiftieth push in rapid succession, fatigue sets in. The victim approves the request just to make the notifications stop, often assuming it is a glitch or their own login attempt.

This is not a hypothetical scenario. The LAPSUS$ threat group, which breached Microsoft, Okta, NVIDIA, and Ubiquiti earlier this year, used exactly this technique. They bombarded targets with MFA push notifications until someone hit approve. Microsoft documented a similar campaign in its threat intelligence reports, noting that push-bombing had surged significantly since mid-2021.

If your MFA solution lets an attacker trigger unlimited push notifications, your second factor is only as strong as your users' patience.

Push-based MFA, particularly Microsoft Authenticator's default mode and similar push implementations, is vulnerable by design. The convenience that makes push notifications popular also makes them exploitable. There is no cryptographic proof that the user actually intended to authenticate. A tap is not a deliberate act of verification when it happens under duress.

Adversary-in-the-Middle: Session Token Theft

While MFA fatigue targets the human, adversary-in-the-middle (AiTM) attacks target the protocol. In an AiTM attack, the attacker sets up a phishing site that acts as a reverse proxy between the victim and the legitimate service. When the victim enters their credentials and completes MFA, the phishing site forwards the request to the real service in real time. The service validates the MFA challenge, issues a session token, and the proxy captures that token on the way back to the victim.

The result: the attacker now holds a valid session token and is fully authenticated. MFA was completed correctly. The user saw nothing suspicious. And the attacker can use that token until it expires, which in many enterprise SaaS platforms can be hours or even days.

Phishing kits that implement AiTM are now widely available. Evilginx2, an open-source AiTM framework, has been repackaged into turnkey phishing kits sold on underground forums for a few hundred dollars. In June, Microsoft detailed how the DEV-1101 threat group was operating AiTM infrastructure at scale, targeting enterprise Microsoft 365 tenants. These kits can bypass MFA from virtually any provider, including FIDO2 security keys in certain misconfigured deployments.

What makes AiTM particularly dangerous is that the session token is independent of the authentication event. Even if the user changes their password after realizing they were phished, the stolen token remains valid. The attacker's session is not tied to the credential. It is tied to the cookie.

SIM-Swapping: The Legacy Problem Persists

SMS-based MFA remains one of the most commonly deployed second factors, particularly among smaller organizations and consumer-facing services. It is also the weakest. SIM-swapping attacks, where an attacker convinces a carrier to port a victim's phone number to a device they control, continue to be a reliable way to intercept SMS one-time codes.

In the first half of 2022, multiple high-profile compromises traced back to SIM swaps. The attack requires social engineering against a mobile carrier, not the target organization, making it difficult for defenders to detect or prevent. Once the attacker controls the phone number, they receive SMS codes as if they were the account holder.

What Actually Works

The lesson is not that MFA is useless. MFA still blocks the overwhelming majority of automated attacks. The lesson is that not all MFA is equal, and the type of second factor you choose matters enormously. Here is what we recommend based on our red team and incident response experience.

1
Deploy FIDO2 security keys as your primary MFA method. FIDO2, implemented through hardware keys like YubiKeys or platform authenticators like Touch ID and Windows Hello, is the only MFA standard that is inherently resistant to both phishing and AiTM attacks. The authentication ceremony is bound to the origin of the legitimate service, so a proxy site cannot replay the token. If you can only do one thing, make it this.
2
If you must use push notifications, enable number matching and require biometric approval. Microsoft recently began rolling out number matching for Authenticator push notifications, which requires the user to type a number displayed on the login screen into their phone. This defeats push-bombing because the attacker cannot see the number. Combined with biometric verification (fingerprint or face), push MFA becomes significantly harder to bypass.
3
Eliminate SMS-based MFA from your organization. Replace it with authenticator app TOTP codes at minimum, and FIDO2 keys ideally. SMS offers no protection against SIM-swapping and is trivially interceptable. No organization that takes security seriously should rely on SMS as a second factor in 2022.
4
Implement conditional access policies that limit session token lifetimes and bind sessions to device trust. Even if a token is stolen, short session lifetimes reduce the attacker's window. Device trust policies ensure that a token stolen on an unmanaged device cannot be used from a different, untrusted device. Azure AD Conditional Access and similar tools in Okta and Ping support these controls today.
5
Monitor for anomalous session activity. A session token used from a new geography, a new device, or at an unusual time is a strong signal of AiTM token theft. Invest in detection capabilities that flag these anomalies, and integrate them into your incident response runbooks so they trigger investigation, not just an alert.

MFA is not a checkbox. It is a control that requires thoughtful implementation and ongoing evaluation. The techniques described here are being used right now, against real organizations, with real consequences. The gap between "we have MFA" and "our MFA actually stops attackers" is wider than most security teams realize. Closing that gap starts with understanding that the threat has moved past guessing passwords. Your second factor needs to be just as resistant as your first.

Not sure if your MFA implementation can withstand modern bypass techniques? Our red team can find out. Get in touch with our team.