Introduction
Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two or more verification factors to access a system or application. These factors typically include something the user knows such as a password, something the user has such as a phone or hardware token, and something the user is such as a fingerprint. In cloud environments like Azure AD, MFA provides a critical layer of defense against credential theft and unauthorized access. However, despite its significant contribution to security, MFA is not entirely immune to abuse. Attackers have developed various methods to bypass or exploit MFA workflows.
This blog discusses three real-world MFA attack techniques: MFA Fatigue, Pass-the-MFA, and Office 365 MFA Abuse.
What is an MFA Attack?
MFA attacks exploit the fact that Multi-Factor Authentication, while strong, often depends on user behavior and flawed configurations.
Attackers can abuse it by overwhelming users with approval requests (MFA fatigue), stealing session tokens (Pass-the-MFA), or bypassing it entirely through legacy protocols or app permissions. The key weakness isn't MFA itself, it's how it's applied and maintained.
Example of an MFA push prompt, frequent notifications like this can lead to accidental approval.
Attack Flows
MFA Fatigue Attack
In an MFA Fatigue attack, the attacker begins by obtaining the victim's credentials, typically via phishing or credential stuffing. Once they have valid credentials, they begin a series of repeated login attempts that trigger MFA push notifications on the user's device. The attacker counts on the user being confused, annoyed, or socially engineered into approving one of these push prompts, especially if they arrive in rapid succession.
For example, an attacker may combine the fatigue tactic with social engineering by impersonating IT support and sending a message (e.g., over SMS, Teams, or WhatsApp) claiming that the push is a legitimate verification step. Eventually, the user may tap "Approve" out of habit or confusion, granting the attacker full access to the account.
Example of an MFA rejection log
Example of a successful login log after MFA confirmation
Detection:
To effectively hunt for MFA fatigue attacks, begin by identifying user accounts that exhibit a high volume of denied or ignored MFA requests over a short period of time. Focus on cases where these repeated failures are immediately followed by a successful login attempt, this behavior often suggests the user eventually approved an MFA prompt, either by mistake or under pressure. Correlate the successful login with the same IP address, ASN, or device fingerprint used during the denied attempts to confirm that the session originated from the same attacker. Additionally, investigate scenarios where the time interval between the failed MFA requests and the eventual success is very short, indicating rapid retries. Pay close attention to successful logins occurring at unusual hours or from geographic locations inconsistent with the user’s normal behavior, as these may highlight anomalous approval patterns resulting from fatigue exploitation.
Pass-the-MFA Attack
A more hands-on variant of the Pass-the-MFA attack involves real-time phishing using a fake Microsoft 365 login page. In this technique, the attacker sets up a convincing replica of the Outlook 365 login screen and lures the victim into entering both their credentials and their multi-factor authentication (MFA) code (such as from Google Authenticator or Microsoft Authenticator).
Unlike traditional phishing, where only the password is stolen, this method forwards the stolen credentials and the MFA code in real-time to the legitimate Microsoft login endpoint. The attacker acts as a man-in-the-middle, instantly passing the user's input to the real page. This allows the attacker to successfully complete the login flow and obtain a valid authenticated session, despite MFA being enabled.
Once authenticated, the attacker harvests the issued session tokens (e.g., access token or refresh token) and can replay them from their own device, maintaining full access without needing to perform MFA again. This technique is often used in combination with tools like Evilginx, Modlishka, or Muraena, which automate the interception and relay process.
Detection:
To detect this kind of attack, look for anomalies in session behavior immediately after a successful MFA. Signs include logins from unusual IPs or devices that occur just seconds after a real user completes authentication, or sudden session token reuse from a separate geography or device fingerprint. Suspicious behavior often includes high-privilege operations shortly after login, or the presence of new user-agents or ASN changes in the session stream. Monitoring for impossible travel combined with session replay can reveal such attacks even if the login appears to be fully compliant with MFA requirements.
Office 365 MFA Abuse
This attack targets weaknesses in how MFA is enforced across Microsoft 365. Many organizations still allow legacy protocols like IMAP, POP3, or SMTP, which do not support MFA. An attacker with valid credentials can exploit these protocols to authenticate without triggering any MFA challenge.
Additionally, attackers can register rogue OAuth applications and trick users into consenting to broad permissions. Once granted, these apps receive long-lived tokens that allow access to services such as Exchange Online, SharePoint, and Teams, again, without requiring MFA if Conditional Access policies aren’t configured strictly enough.
In both cases, the attacker gains persistence and visibility into internal communications and data without triggering standard security controls.
Detection:
Hunting for Office 365 MFA abuse begins by identifying successful login events that utilize legacy authentication protocols such as IMAP, POP, or SMTP, these are often excluded from modern MFA enforcement policies. Examine authentication logs for users who have not previously used these protocols, especially when logins come from foreign or suspicious IP ranges. Additionally, monitor for new or recently registered applications that request OAuth consent with unusually broad permissions. These rogue applications can be used to acquire tokens that grant access to services like Exchange, SharePoint, or Teams without requiring MFA. Trace the use of such tokens and analyze access patterns, particularly for signs of large-scale data reads, downloads, or mailbox activity, which may indicate exfiltration or lateral movement across the Microsoft 365 environment.
Real-World Example: Rockstar Games Breach (2022)
In 2022, a 17-year-old attacker from the Lapsus$ group used MFA Fatigue to breach Rockstar Games. After stealing credentials from a Slack account, the attacker flooded an employee with MFA requests until one was approved.
This granted them access to internal systems, including sensitive files and unreleased footage from the next Grand Theft Auto game. The incident shows how social engineering + MFA abuse can penetrate even large, security-aware organizations.
Real-World Example: SolarWinds Email Access (2020)
In 2020, attackers linked to the SolarWinds campaign used Office 365 MFA Abuse to access internal email accounts at multiple U.S. government agencies. By exploiting misconfigured Conditional Access policies and legacy authentication protocols, the attackers bypassed MFA entirely for some accounts.
They leveraged OAuth token abuse to impersonate users and maintain persistent access to Office 365 services, including Outlook and SharePoint.
This allowed them to quietly monitor communications and exfiltrate sensitive information over an extended period. The case highlighted how token misuse and weak MFA enforcement can expose even high-security environments to long-term compromise.
Mitigation
To defend against MFA attacks, organizations should enable ״number matching״ to prevent users from approving prompts blindly, and implement Conditional Access policies to block or challenge sign-ins from unfamiliar locations. User training is essential to help recognize and report suspicious MFA behavior. It's also important to limit repeated MFA prompts to prevent flooding, and to configure alerts for multiple MFA denials. All MFA activity should be logged for threat detection and forensic analysis. For sensitive actions, require re-authentication instead of relying on previously satisfied MFA, and avoid using push notifications for high-privilege accounts by opting for more secure methods like OTPs or hardware tokens.
- Enforce MFA number matching: Require users to type the number shown on screen, instead of approving blindly.
Note: Attackers may still trick users via phishing messages instructing them to approve or match the number. - Implement Conditional Access policies: Block or challenge sign-ins from unfamiliar IP addresses or locations.
- Educate users: Train users to recognize and report suspicious MFA behavior.
- Limit MFA retry attempts: Throttle repeated MFA prompts to prevent notification flooding.
- Alert on MFA denials: Configure monitoring to detect users who deny or ignore multiple prompts in succession.
- Audit all MFA activity: Keep detailed logs of requests, approvals, and denials for threat hunting and forensics.
- Require fresh MFA for sensitive actions: Don’t rely on “previously satisfied” MFA, re-challenge on privileged or risky operations.
- De-prioritize push MFA: For high-privilege accounts, use more deliberate methods like OTPs or hardware tokens.
Conclusion
Multi-Factor Authentication (MFA) remains one of the most effective tools for protecting identities, but it is not foolproof. Attackers have adapted by using techniques such as fatigue attacks to pressure users, token theft to bypass re-authentication, and exploiting configuration gaps to avoid enforcement. To effectively defend against these threats, organizations must implement strong Conditional Access policies, invest in user training and awareness, use short-lived and well-protected tokens, and maintain continuous monitoring and threat detection. MFA provides a critical layer of defense, but it should be part of a broader security strategy rather than relied upon as a standalone solution.
Cyngular Security's CIRA Platform
To further secure your cloud environment, consider integrating Cyngular Security's CIRA platform. It enhances your security posture by providing advanced investigation and response capabilities, enabling your team to address threats swiftly and effectively. By adopting Cyngular Security's CIRA, you empower your organization with proactive and automated security measures that protect your cloud assets.
Get a Free Breach Assessment
Protect your cybersecurity infrastructure with a complimentary breach assessment from Cyngular:
- Safe and Non-disruptive: Conducted with read-only access to ensure no operational disruption.
- Easy Setup: Integrates seamlessly with your existing SIEM systems.
- Deep Insights: Empowers your cybersecurity strategy with advanced threat hunting and proactive investigation capabilities.
Request your free Proof-of-Value today and lead the way in cybersecurity innovation with Cyngular.
