Over the years, the standard advice was simple: turn on multi-factor authentication and your accounts are safe. MFA blocks the overwhelming majority of credential-based attacks. It is still one of the most important security controls you can implement. But somewhere along the way, the advice calcified into a false sense of completeness — as though MFA were a finish line rather than a baseline.
Attackers adapted. They always do. And the techniques they now use to get around MFA are not exotic or theoretical. They are in active use against law firms, accounting firms, and professional services businesses every week.
Adversary-in-the-Middle Phishing
The most common MFA bypass technique in use today does not break MFA at all. It sidesteps it entirely by stealing the session token that MFA produces after a successful authentication.
Here is how it works. An attacker sets up a phishing page that sits between the target and the real Microsoft login page. When the target enters their credentials and completes the MFA prompt, those actions are proxied in real time to the legitimate Microsoft servers. Microsoft sees a valid login and issues a session token. The attacker captures that token before it ever reaches the user's browser. They now have an authenticated session — no password, no MFA code required.
Toolkits that automate this attack are freely available and require minimal technical skill to operate. Evilginx, Modlishka, and similar frameworks have made adversary-in-the-middle phishing accessible to attackers who could not have built it themselves. The phishing email looks legitimate. The login page looks identical to the real one. The MFA prompt fires exactly as expected. The user has no idea anything went wrong.
MFA Fatigue
A simpler and surprisingly effective technique involves flooding the target with MFA push notifications until they approve one just to make them stop.
If an attacker has valid credentials — obtained through phishing, credential stuffing, or purchasing from a dark web breach database — they can trigger your MFA prompt repeatedly. Many users, after receiving fifteen or twenty push notifications in quick succession, will eventually tap Approve either out of confusion, frustration, or the assumption that it must be a technical glitch. That single approval gives the attacker full access.
Microsoft has partially addressed it with number matching in the Authenticator app, which requires the user to enter a number displayed on the login screen rather than just tapping Approve. But number matching is not enabled by default in all configurations, and many organizations are still running legacy MFA setups that remain vulnerable.
Legacy Authentication Protocols
This one does not bypass MFA at all. It simply goes around it.
Older protocols like SMTP AUTH, IMAP, and POP3 do not support modern authentication. They were designed before MFA existed. If these protocols are still enabled in your Microsoft 365 tenant — and in most environments we assess, they are — an attacker with a valid password can authenticate directly using them without ever triggering an MFA prompt.
We find this misconfiguration in almost every Microsoft 365 environment we review for the first time. It is the single most commonly exploited gap in tenants that believe MFA is protecting them. The user has MFA enabled on their account. The attacker authenticates via IMAP. MFA is never involved.
What Actually Stops These Attacks
The answer is not abandoning MFA. MFA is still essential and stops the vast majority of attacks that do not use these specific techniques. The answer is layering additional controls on top of it.
Conditional Access policies are the most important layer. They allow you to define the conditions under which authentication is permitted — requiring compliant devices, blocking authentication from certain countries or IP ranges, requiring additional verification for high-risk sign-ins. An attacker who has captured a session token from a device in Eastern Europe cannot use it to authenticate if your Conditional Access policy blocks sign-ins from that region on unmanaged devices.
Blocking legacy authentication protocols removes the SMTP AUTH and IMAP vulnerability entirely. This is a configuration change that takes minutes and has no impact on users who are using modern clients like Outlook or the Microsoft 365 web interface.
Continuous monitoring of authentication events is what catches the attacks that do get through. Impossible travel alerts — a user authenticating from Connecticut and then from Ukraine thirty minutes later — are a direct indicator of session token theft. Sign-in risk signals from Microsoft Entra ID can trigger additional verification or block access automatically when authentication patterns look anomalous.
MFA is not optional. But treating it as the last word in identity security is how organizations end up compromised despite having MFA enabled on every account. The attackers who are targeting professional services firms in 2025 know exactly how to work around it. The question is whether your security posture has kept pace.