Telephone Location

Can Hackers Bypass MFA?

Can Hackers Bypass MFA?

24 Sep 2025

Can Hackers Bypass MFA?

Multi-Factor Authentication (MFA) has become the gold standard for securing logins across business systems. Banks, cloud providers, government departments, and even social media platforms now require users to prove their identity with more than just a password. In the UK and Ireland, MFA adoption has surged, especially with the rise of remote and hybrid work.

But while MFA is far better than a password alone, it is not invincible. Too often, organisations fall into the trap of believing that implementing MFA is the final step in access security. In reality cybercriminals are continually developing new techniques to bypass, trick, or neutralise MFA protections.

This article examines how attackers really work around MFA, why it is not a silver bullet and what businesses in Northern Ireland and beyond can do to defend themselves, read more in our blog below.

 

Why MFA Isn’t Enough on Its Own

At its core, MFA is designed to require two or more of the following:

  • Something you know – a password or PIN.
  • Something you have – a phone, token, or app.
  • Something you are – biometrics such as a fingerprint.

The logic is simple, even if an attacker steals one factor (your password), they should not be able to access your account without the second.

Unfortunately, attackers don’t need to “break” MFA itself. Instead, they sidestep it through human manipulation, technical loopholes, or exploiting weaknesses in recovery processes. The weakest link remains people, devices, and systems, not the MFA technology.

 

Common Ways Criminals Bypass MFA

1. Phishing Around MFA

Modern phishing kits don’t just steal usernames and passwords. They also capture MFA codes in real time. Attackers set up fake login portals, trick a user into entering their credentials, then relay those details instantly to the real service. The victim enters their MFA code, which the attacker immediately uses to gain access.

2. SIM Swapping

If MFA relies on SMS messages, criminals can persuade or bribe telecoms staff to transfer a victim’s phone number to a new SIM card. Once complete, every text message (including MFA codes) goes directly to the attacker’s device.

3. Malware on Endpoints

Keyloggers, remote access trojans, or info-stealing malware can intercept MFA codes or even capture authenticated sessions. Once a session token is hijacked, MFA has already “done its job”, but the attacker now controls the session.

4. Man-in-the-Middle Proxies

Attackers increasingly deploy “MFA proxy” tools. A user thinks they are logging into Microsoft 365 or their VPN, but in fact they are passing through a malicious proxy. This allows attackers to capture not just the login, but also the MFA challenge and the resulting access token.

5. Exploiting Recovery Paths

Many services offer backup login methods such as email recovery links, security questions, or customer support overrides. Attackers know these are often weaker than MFA and will exploit them as a back door.

6. MFA fatigue

MFA fatigue (also called MFA bombing) is a cyberattack where criminals repeatedly send push-based Multi-Factor Authentication requests to a user’s phone after stealing their login details. The constant flood of pop-ups is designed to frustrate or confuse the victim into eventually approving one, giving the attacker full access. It has been used in real-world breaches against large organisations, proving that while MFA is essential, poor implementation can be exploited.

Key points:

  • Attackers need a valid username and password first.
  • Victims are bombarded with endless MFA prompts until they click “Approve.”
  • Works best late at night or when users are distracted.
  • Defences include number matching, limiting login attempts, stronger MFA methods (like hardware keys), and user training to recognise the red flag.

 

Real-World Consequences

  • Financial fraud – Criminal groups use SIM swaps to drain online banking accounts.
  • Corporate breaches – Attackers hijack session tokens from remote workers and pivot deeper into company systems.
  • Supply chain compromise – Stolen credentials with bypassed MFA are sold on dark web marketplaces, giving threat actors footholds in corporate networks.

These aren’t theoretical risks. UK law enforcement and Europol have reported growing evidence of sophisticated MFA bypass campaigns, particularly targeting Office 365, cloud storage, and banking services.

 

The Problem With “MFA Myths”

A dangerous myth is that once MFA is in place, accounts are “unhackable.” This belief creates complacency, and attackers rely on that false sense of security. While MFA blocks many basic attacks, it does nothing against:

  • Sophisticated phishing.
  • Malware on a user’s laptop.
  • Poorly configured recovery mechanisms.
  • Social engineering of helpdesks or telecoms providers.

The lesson is MFA is a layer, not a complete solution.

 

How to Strengthen MFA Defences

Businesses cannot afford to remove MFA, it is still a vital security control. Instead, they must harden its use and surround it with additional measures.

1. Choose Stronger MFA Methods

  • Avoid SMS-based codes wherever possible.
  • Use authenticator apps or, better still, hardware security keys (FIDO2, YubiKey).
  • Enable push-notification MFA that requires user approval rather than just a code.

2. Train Employees on MFA Scams

  • Teach staff how phishing pages can look identical to the real thing.
  • Encourage reporting of suspicious MFA prompts or repeated login requests.
  • Run simulated phishing campaigns that include MFA scenarios.

3. Monitor for Suspicious Behaviour

  • Deploy SOC or SIEM tools that spot “impossible logins” (e.g., a user signing in from Belfast and seconds later from Singapore).
  • Flag multiple MFA resets or SIM swaps associated with a single account.

4. Secure Recovery Mechanisms

  • Remove outdated “security questions” that attackers can easily guess or research.
  • Use secure backup MFA methods such as hardware tokens stored offline.
  • Ensure your IT helpdesk verifies identity robustly before resetting access.

5. Layer With Broader Cybersecurity Controls

  • Keep endpoints patched and protected with EDR (Endpoint Detection & Response).
  • Run regular vulnerability assessments and penetration tests to identify weaknesses.
  • Consider dark web monitoring to check if staff credentials are being traded.

 

Building Cyber Resilience, Not False Confidence

At LoughTec, we regularly encounter organisations that assume MFA has closed the door on account compromise. Unfortunately, the opposite is true, cybercriminals are innovating precisely because MFA has become widespread.

True cyber resilience comes from a layered approach, MFA combined with continuous monitoring, strong endpoint protection, rapid incident response, and above all, an aware workforce.

 

MFA Is Essential, But Not Invincible

Multi-Factor Authentication remains one of the best defences against credential theft, but it is not bulletproof. Attackers have already found multiple ways to bypass or exploit it. Businesses that rely solely on MFA risk leaving themselves exposed.

The answer is not to abandon MFA, but to deploy it intelligently, choose stronger methods, and surround it with complementary protections. By doing so, you transform MFA from a single line of defence into part of a robust, layered cybersecurity strategy.

 

Next Steps With LoughTec

If you want to understand how resilient your MFA really is, LoughTec can help. Our services include:

  • Penetration testing that shows how attackers could bypass your MFA today.
  • Managed SOC services to detect and respond to suspicious login behaviour.
  • Employee awareness training tailored to phishing and social engineering techniques.

 

Contact us today to assess the true strength of your business and protect your organisation from the next generation of cyber threats.

LoughTec are cyber security experts, if you want to find out more on how LoughTec can help protect your business in many ways, see some further recommended information and options below.

Click to find out more about how much a cyber attack could potentially cost your business

Click to find out more about Security Operations Centre SOC 24-7-365 protection.

Click to find out more about Staff Cyber Security Awareness Training.

Click to find out more about Ransomware Protection.

 

You can also see more about us in our case studies and testimonials sections.

 

Back Top
Cyber Security Support

Stay Protected
Stay Ahead

Airtight IT • Cyber Security
LoughTec support, manage
and protect your IT Infrastructure

Enquire Now
WhatsApp Contact

Or call us on 028 8225 2445

Cyber Security Support

We are a social company - Follow Us: