Anatomy of an MFA Bypass Attack

What is an MFA bypass attack?

A multi-factor authentication (MFA) bypass attack occurs when an attacker successfully circumvents an organization's MFA controls to gain unauthorized access. While authentication methods are an important part of prevention, they don’t always keep attackers from accessing accounts. Attackers can get around MFA requirements to gain VPN access, conduct network recon, swipe usernames and passwords and, ultimately, exfiltrate sensitive data. 

Common MFA bypass techniques

Common types of MFA bypass techniques include:

• Phishing attacks: Attackers often use sophisticated phishing techniques to trick users into providing their MFA credentials.

• MFA Fatigue attacks: The attacker spams a victim with repeated MFA requests, inundating them with validation requests until the user approves one — either out of habit or from fatigue.

• SIM swapping: Attackers hijack a victim's phone number by convincing the carrier to transfer it to a SIM card on a different device. This technique is becoming more common due to the widespread use of SMS-based authentication. 

• Session hijacking: The attacker takes over an active business app session to bypass MFA methods entirely. Once in control of the session, they can add new MFA devices, reset passwords, and use the hijacked account to progress through the corporate network. 

• Exploiting MFA flaws: Attackers find a misconfiguration or other vulnerabilities, usually in integrated OAuth and single sign-on (SSO) systems, that allows them to bypass the second authentication factor. 

Detecting attackers bypassing your MFA

Advanced MFA solutions, such as security keys and biometric verification, are a critical component of enterprise security. But don’t stop there. It’s equally crucial to monitor your environment for suspicious activity so you can catch an MFA bypass attack as soon as it happens. 

Vectra AI uses more than 150 AI-driven detection models to reveal when an attacker gets around MFA and other preventative controls. With more than 90% MITRE ATT&CK coverage and 11 references in the MITRE D3FEND framework — more than any other vendor — Vectra AI detects common techniques cybercriminals use to circumvent MFA, including:

• MFA-Failed Suspicious Sign-On
• MFA Disabled
• Suspected Compromised Access
• Privilege Operation Anomaly
• M365 Suspicious Exchange Transport Rule

For example, in one simulated attack that began with purchased VPN access, the attacker:

• Conducted network recon to move laterally over RDP
• Used stolen credentials to infiltrate SharePoint and source code
• Created a new admin account for redundant access and attempted to create a transport rule for future exfiltration
  

But with Vectra AI, defenders know which entities are impacted, each surface occupied, and what response actions to take — and can quickly lock down the accounts in question.

See how Vectra AI exposed an active MFA bypass attack

What happens when a notorious cybercrime group bypasses MFA, steals credentials, and starts moving laterally? See below how the Lapsus$ ransomware group uses MFA bypass to breach into corporate networks and learn why AI-driven detections are essential to finding similar attacks.