One of the top recommendations for securing access to systems is Multi-Factor Authentication (MFA). While cracking passwords alone is often relatively easy for hackers, MFA adds an essential extra layer of protection. However, it’s important to remember that MFA isn’t infallible—attackers can and do find ways to bypass it.
Once a password is compromised, hackers employ various techniques to circumvent MFA. Below, we’ll examine four common social engineering tactics hackers use to defeat MFA and highlight the importance of strong passwords as part of a comprehensive security strategy.
Adversary-in-the-Middle (AITM) Attacks
In Adversary-in-the-Middle (AITM) attacks, hackers trick users into believing they’re logging into a legitimate site or app, but instead, they’re handing over their credentials to the attackers. This method allows hackers to intercept passwords and even manipulate MFA prompts.
For example, a spear-phishing email may direct users to a fake website that captures their login details. Ideally, MFA should stop this, but hackers use a tactic called “2FA pass-on.” After the victim enters their credentials on the fake site, the attacker quickly uses them to log into the real site, triggering an MFA request. To the victim, this request seems legitimate, and they unknowingly provide the attacker with full access by approving the prompt.
A known example of this tactic is the Storm-1167 group, which creates fake Microsoft login pages to steal credentials. They even go as far as mimicking the MFA step, tricking victims into entering their MFA code, granting the attackers access to their accounts. Once inside, the attackers can use the compromised accounts to launch further phishing attacks.
To validate your defenses against “2FA pass-on” tactics, search for “2FA” in the attack library of our Security Validation Platform. You can simulate attacks using malware designed to exploit this vulnerability.
MFA Prompt Bombing
MFA prompt bombing is a social engineering technique that takes advantage of push notifications in authentication apps. After stealing a password, attackers repeatedly attempt to log in, flooding the legitimate user’s device with MFA prompts. Frustrated or confused, the user might approve the request to stop the barrage of notifications.
In one notable case, the 0ktapus hacker group used SMS phishing to steal the login credentials of an Uber contractor. The attackers then took control of the authentication process and tricked the contractor into approving the MFA request by posing as Uber’s security team on Slack.
Help Desk Social Engineering
Hackers can also bypass MFA by manipulating help desks. Pretending to have forgotten their password, attackers can deceive help desk agents into bypassing MFA. If help desk personnel don’t follow proper verification protocols, attackers may gain unauthorized access to an organization’s systems.
A well-known example is the attack on MGM Resorts, where the Scattered Spider group tricked the help desk into resetting a password, which led to a ransomware attack. In cases where MFA prompt bombing doesn’t work, attackers may contact the help desk pretending to have lost their phone, requesting to register a new MFA device. If successful, they can reset passwords and gain access via the compromised device.
SIM Swapping
Since MFA often relies on mobile devices, attackers use a method known as “SIM swapping” to intercept MFA prompts. By tricking a phone carrier into transferring a target’s phone number to a SIM card they control, attackers can hijack MFA codes and access accounts.
A prominent example is the LAPSUS$ group, which employed SIM swapping, MFA prompt bombing, and help desk manipulation to compromise organizations. Microsoft detailed these tactics in a 2022 report, illustrating how LAPSUS$ relied on social engineering to gain access to its targets.
To validate your defenses against these tactics, search for “LAPSUS$” in the attack library of our Security Validation Platform and simulate similar techniques used by this group.
The Importance of Strong Passwords—MFA Isn’t Enough
While MFA offers extra protection, it’s not invincible. Other methods to bypass MFA include endpoint compromise, token extraction, exploiting Single Sign-On (SSO), or leveraging unpatched vulnerabilities. Simply enabling MFA isn’t a substitute for strong password security.
Weak or exposed passwords remain a common entry point for attackers. Once they obtain a valid password, their focus shifts to bypassing MFA. If a password is leaked, reused, or easy to guess, even a strong MFA setup may not protect the account.
For most organizations, going fully passwordless is still impractical. Therefore, a robust password policy combined with MFA offers the best defense.