MFA Bypass Attacks in 2026: What Texas Businesses Must Do Beyond Push Notifications

Adversary-in-the-Middle (AiTM) Phishing

Commercial phishing-as-a-service kits (Evilginx, EvilProxy, Tycoon, Mamba 2FA) operate as a real-time reverse proxy between the victim and the legitimate login page. The victim sees what looks like a normal Microsoft 365 or Google login. Behind the scenes, every keystroke and every MFA prompt is forwarded to the real Microsoft. When the user completes MFA, the attacker captures the resulting session cookie and uses it directly — never needing the password or the second factor again.

This is the dominant attack pattern against M365 tenants in 2026. It defeats SMS, push notification, and even Time-based One-Time Password (TOTP) codes.

Push Notification Fatigue / MFA Bombing

The attacker who already has a password (from a credential stuffing list, a previous breach, or info-stealer logs) repeatedly triggers push notifications to the victim's phone — often at 2:00 AM. After dozens of prompts, many users approve one to make the noise stop. This was the entry vector in several high-profile breaches over the past two years.

SIM Swap

SMS-based MFA is structurally broken because phone numbers can be ported. An attacker convinces a mobile carrier (often through a bribed employee or a social engineered call) to port the victim's number to a SIM the attacker controls. All SMS codes then arrive on the attacker's device.

The phrase the industry has settled on is phishing-resistant MFA. It refers to authentication factors that are bound to the legitimate origin and cannot be relayed by a reverse proxy.

• FIDO2 / WebAuthn — hardware security keys (YubiKey, Feitian) or platform authenticators (Windows Hello for Business, Apple Touch ID / Face ID, Android biometrics) bound to the origin URL. AiTM kits cannot proxy these because the cryptographic challenge includes the actual domain name being visited.
• Microsoft Entra Conditional Access with device compliance — sessions only succeed from devices that are managed and compliant per Intune policy. Even if an attacker captures a session cookie, replaying it from an unmanaged device fails.
• Certificate-based authentication — particularly relevant for high-privilege accounts and for CMMC environments where NIST 800-171 requires high-assurance authentication.

1. Eliminate SMS and voice MFA entirely. If they exist as fallback options, attackers will pivot to them.
2. Move all administrators and privileged users to FIDO2. No exceptions, no fallbacks. Hardware keys for IT staff and finance leadership.
3. Move all general users to number-matching push or app-based MFA at minimum. Number matching defeats the simplest push fatigue attacks because the user must type a number shown on the login screen, not just tap Approve.
4. Enforce device compliance via Conditional Access. Block sign-ins from non-compliant devices for sensitive applications.
5. Monitor for impossible travel and atypical sign-ins. Microsoft Entra ID Protection or an equivalent identity threat detection layer must be on.

The two most common mistakes we encounter cleaning up after Texas SMB compromises:

• Leaving legacy authentication enabled. If your tenant still allows IMAP, POP, SMTP AUTH, or other legacy protocols, MFA is bypassed entirely on those paths. Disable legacy auth.
• Excluding "service accounts" from MFA. Service accounts with passwords and no MFA are the favorite escalation path of every ransomware operator. Use managed identities, certificate authentication, or workload identities — never bare passwords.

For Texas SMBs that have legacy SMS or basic push MFA today: the highest-priority step is migrating administrators to FIDO2 hardware keys (a $40 device per admin), then enabling number-matching for all other users (free, configuration only), then disabling legacy authentication (free, configuration only). The $40-per-admin investment is the highest-ROI security spend of 2026.

For broader identity hardening context: see our Privileged Access Management service overview and the 2026 PAM tools comparison. For tenant-level M365 hardening: M365 managed services.

• Houston cybersecurity
• The Woodlands cybersecurity
• Sugar Land cybersecurity
• Katy cybersecurity
• Spring cybersecurity