While Multi-Factor Authentication (MFA) adds an extra layer of security by requiring multiple forms of verification, hackers are finding ways to get around it using clever phishing attacks. These attacks often trick people into giving away their MFA codes or redirect them to fake login pages that capture their credentials. Once hackers have this information, they can access accounts even with MFA in place. 

Recent statistics show the growing challenge: 

• About 35% of compromised accounts had MFA enabled, showing that MFA alone isn’t always enough. 

• 90% of organisations that experienced unauthorised access had MFA in place at the time of the breach. 

In Ireland, organisations must report a data breach to the Data Protection Commission within 72 hours of becoming aware of it, who will decide if the company is liable for the breach and depending on the severity of the breach can impose administrative fines. 

These numbers highlight the need for ongoing improvements in security measures and better user education to stay ahead of these evolving threats. 

How are hackers getting into accounts with MFA? 

Hackers are now getting access to user accounts protected by MFA by using a technique called a “Man-in-the-Middle attack”. The attacker can trick the user into entering their username and password, as well as the one-time code or MFA token that is sent to their mobile for verification. The attacker can then use this information to log in to the account as the user and access their sensitive data or perform malicious actions. The user won’t notice anything’s wrong until they get locked out of their account or informed by someone else. 

Attackers use these tools to create phishing websites that can capture user credentials and session cookies, even if the target website uses multi-factor authentication (MFA). These attacks are called Man-in-the-middle attacks because the attacker acts as a proxy between the user and the legitimate website, to deceive the user and steal their information. 

Watch a hacker bypass MFA:

How can users and companies protect themselves from Man-in-the-middle attacks? 

Things end users can do to protect themselves from MFA Bypass attacks: 

• Always check the URL of the website they are visiting and make sure it matches the expected domain. – look for spelling mistakes. Hackers will often register domains similar to real ones. 

• Always use a different password for each account. If you use the same password for all your accounts a hacker not only has access to your work account but everything else. 

• Always be wary of phishing emails and do not click on suspicious links or attachments, if in doubt get IT to check for you. 

Things IT admins can do to protect their companies from MFA Bypass attacks: 

• Use Phish-resistant MFA methods, these are physical tokens like usb Fido keys for highly sensitive accounts such as Finance or HR. 

• Consider going passwordless completely – you can’t steal a password if there isn’t one! 

• Implement companywide security awareness training and regular phishing simulations, everyone thinks they can spot a phishing email until they get one. 

• Restrict company data to company devices only. If an account is breached and the password and MFA token is lost unless the attacker has a company device, they can’t sign in. 

• Alerting – if an account is breached its important to find out quickly to stop the damage. Look into what options are available to alert your staff and IT if there is a breach. 

While MFA is a crucial component of modern cybersecurity, it is not infallible. The rise of sophisticated phishing attacks and techniques like Man-in-the-Middle attacks demonstrate that relying solely on MFA is insufficient. Organisations and individuals must adopt a multi-layered security approach, combining robust technical measures with continuous user education and vigilance. By staying informed about the latest threats and implementing comprehensive security strategies, you can better protect your digital identities and sensitive information from evolving cyber threats.

To find out more, contact our team of experts to find our how you can strengthen your organisations security posture and avoid a Man-in-the-Middle Attack – asktheexpert@enterprise-solutions.ie

Cormac De Róiste

An experienced Senior Microsoft 365 engineer, specializing in cloud services such as Intune, Entra/Azure as well Microsoft’s Security products. Cormac has years of experience protecting companies against Data breach’s or dealing with the aftermath and can help your company protect its data from attacks from both outside or within.

cormac-deroiste Cormac De Róiste

An experienced Senior Microsoft 365 engineer, specializing in cloud services such as Intune, Entra/Azure as well Microsoft's Security products. Cormac has years of experience protecting companies against Data breach's or dealing with the aftermath and can help your company protect its data from attacks from both outside or within.

Recent posts

The Evolution of MSIX and Its Impact on DaaS

Evolution of MSIX and Its Impact on DaaS

Leveraging Terraform with Citrix – Overcoming Challenges and Reaping Benefits