All posts

MFA Bypass Attacks: When Your Second Layer of Security Isn't Enough

For years, multi-factor authentication felt like the ultimate security solution. Add that extra layer of protection, and your business accounts would be safe from cybercriminals. It was reassuring advice that most New Zealand businesses took to heart, implementing MFA across their Microsoft 365, banking, and critical business systems. But what happens when that seemingly bulletproof security measure isn't quite as bulletproof as we thought?

Written by

Shane Ross

Published on

23rd August 2025
Copy link

Multi-factor authentication (MFA) has become the gold standard for protecting business accounts. Most New Zealand businesses have implemented it across their Microsoft 365, banking, and critical business systems. However, as security measures evolve, so do cybercriminal tactics. Throughout 2025, we've seen a troubling rise in sophisticated MFA bypass attacks that are catching even security-conscious businesses off guard.

Several high-profile incidents earlier this year highlighted the considerable impact of these attacks, with multiple organisations experiencing account compromises despite having robust MFA implementations. For New Zealand SMBs, this represents a significant shift in the threat landscape that demands immediate attention.

What is MFA Bypass?

MFA bypass refers to sophisticated techniques that cybercriminals use to circumvent multi-factor authentication systems. Unlike traditional phishing that simply harvests passwords, these attacks capture both your password and your authentication codes in real-time, giving attackers complete access to your accounts.

The process is deceptively simple. Attackers set up a reverse proxy and send out phishing messages that appear completely normal. When the victim connects to the attacker's system, the attacker forwards the victim's traffic onwards to the real site. From the victim's perspective, the site they've connected to looks authentic — because it actually is!

What's particularly concerning is how accessible these attacks have become. Thanks to turnkey Phishing-as-a-Service (PhaaS) toolkits, almost anyone can conduct these sophisticated attacks without deep technical knowledge. Tools such as Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, and Mamba 2FA have made these attacks disturbingly commonplace.

How MFA Bypass Attacks Work

The Reverse Proxy Method

The technical mechanics behind these attacks are surprisingly straightforward. By positioning themselves between the victim and the legitimate website, attackers can intercept the username and password as they're transmitted to the real site. This triggers an MFA request from the legitimate service, which is sent back to the victim. When the victim receives and approves this seemingly normal MFA request, the authentication cookie is returned through the attacker's proxy server, where it's captured.

The brilliance of this approach lies in its authenticity. Users see the real login page — not a fake replica. The only telltale sign is a slightly different URL in the browser address bar, which most users don't scrutinise carefully enough.

Push Fatigue Attacks

Another increasingly common technique is MFA prompt bombing, which exploits human psychology rather than technical vulnerabilities. Attackers overwhelm users with repeated login requests, creating what security experts call "alert fatigue."

The scenario typically unfolds like this: attackers send dozens of authentication requests to a user's phone throughout the day. Eventually, the frustrated user approves one just to stop the constant notifications, unknowingly granting the attacker access. It's a psychological manipulation that preys on our natural desire to make annoying interruptions stop.

Session Hijacking

Session hijacking represents perhaps the most sophisticated bypass method. Rather than trying to capture credentials, attackers steal authentication tokens from active browser sessions, allowing them to bypass MFA entirely. These tools and techniques are increasingly being shared across underground forums, making them more accessible to less skilled attackers.

Once attackers obtain these session tokens, they can maintain access to accounts for extended periods without needing to authenticate again — essentially piggybacking on legitimate user sessions.

Real-World Impact on New Zealand Businesses

The consequences of successful MFA bypass attacks extend far beyond simple account access. In successful attacks, perpetrators gained access to sensitive emails, created malicious inbox rules to cover their tracks, and potentially used compromised accounts to launch additional phishing campaigns, creating a dangerous cascading effect that amplifies the initial breach.

For a typical New Zealand business, this might mean:

Professional Services Firms: Client confidentiality breaches, access to sensitive financial documents, and potential regulatory violations under the Privacy Act 2020.

Healthcare Practices: Compromised patient records, violation of health information privacy requirements, and potential disruption to appointment systems.

Manufacturing and Trade: Supply chain communications intercepted, customer data stolen, and potential industrial espionage.

Retail Businesses: Customer payment information at risk, loyalty program data compromised, and point-of-sale systems potentially infiltrated.

Warning Signs of MFA Bypass Attempts

Signs of an MFA bypass include logins from unfamiliar IPs or devices, unusual geographical access, and suspicious MFA prompts. Users redirected to fake login pages hint at adversary-in-the-middle attacks. Changes in browser cookies or extensions can signal session hijacking.

Additionally, watch for:

  • Unexpected MFA notifications when you haven't tried to log in

  • Emails appearing in your sent folder that you didn't send

  • New inbox rules you didn't create

  • Login notifications from unusual locations or times

  • Colleagues receiving suspicious emails from your account

Protecting Your Business Against MFA Bypass

Implement Phishing-Resistant Authentication

To counter MFA bypass techniques, organizations should transition to phishing-resistant authentication solutions that eliminate traditional OTPs and SMS-based codes.

Hardware Security Keys: Physical security keys, such as YubiKey and Google Titan, provide strong protection against MFA bypass attacks. These devices require physical confirmation of authentication attempts, making them virtually immune to phishing and token theft.

Biometric Authentication: Using contextual authentication, organizations can dynamically adjust MFA requirements based on factors such as device trust, location, and user behavior patterns.

Passwordless Solutions: Passwordless authentication using passkeys (FIDO2) enhances security and improves user experience.

Strengthen Your Defence Strategy

Enhanced Monitoring: Enforce session timeouts and require re-authentication. Deploy Endpoint Detection & Response (EDR) solutions to detect abnormal session activity.

Employee Training: Staff need to understand that MFA codes should never be shared, even under pressure. Regular security awareness training should include specific scenarios about MFA bypass attempts.

Conditional Access Policies: Implement strict policies that require additional verification for logins from new devices or unusual locations.

Regular Security Audits: Conduct quarterly reviews of user access rights and authentication methods to identify potential vulnerabilities.

The Bottom Line for New Zealand Businesses

MFA bypass attacks represent a fundamental shift in cybersecurity threats. The traditional approach of "just add MFA" is no longer sufficient protection against determined attackers. However, this doesn't mean MFA is useless – it means businesses need to evolve their security strategies.

The key is implementing phishing-resistant authentication methods, maintaining vigilant monitoring, and ensuring staff understand the evolving threat landscape. For most New Zealand SMBs, this requires partnership with experienced cybersecurity professionals who can implement and manage these advanced security measures.

Don't wait for an attack to expose the limitations of your current MFA setup. The cost of upgrading to phishing-resistant authentication is minimal compared to the potential impact of a successful bypass attack on your business operations and reputation.

Moving Forward with Confidence

Understanding MFA bypass techniques isn't about creating fear – it's about making informed decisions to protect your business. By implementing modern, phishing-resistant authentication methods and maintaining strong security practices, New Zealand businesses can stay ahead of these evolving threats.

The cybersecurity landscape continues to evolve, but with the right knowledge and tools, your business can maintain robust protection against even the most sophisticated attacks.

Need help implementing phishing-resistant authentication or want to assess your current MFA setup? Don't hesitate to get in touch with our teams in Christchurch, Dunedin or Tauranga.


 

About
Solutions
Locations
Additional
© 2025 OneCall