MFA Bypass Techniques Every Houston Business Must Know

Multi-factor authentication is the single most impactful security control for Houston businesses — blocking 99.9% of automated credential attacks. But attackers have developed sophisticated techniques to bypass traditional MFA, and Houston businesses need to understand these methods to deploy appropriate defenses.

MFA Fatigue (Push Bombing)

MFA fatigue attacks — also called push bombing — involve sending repeated MFA push notifications to a target’s phone until they approve one out of frustration or confusion. This technique was used in the 2022 Uber breach and has been widely adopted by ransomware groups. The defense: require number matching in Microsoft Authenticator, which forces the user to enter a displayed code rather than simply approving a push notification. SpaceTown IT configures number matching for all Houston clients using Microsoft Authenticator.

Real-Time Phishing Proxies (AiTM)

Adversary-in-the-Middle (AiTM) phishing proxies sit between the victim and the legitimate login page. The victim enters their credentials and MFA code on what appears to be a legitimate Microsoft login page. The proxy replays the credentials and MFA code to the real site in real time, capturing the session cookie. This bypasses all forms of traditional TOTP MFA. The only defense is phishing-resistant FIDO2 hardware keys — the authentication is bound to the legitimate domain and cannot be replayed.

SIM Swapping

SIM swapping — convincing a mobile carrier to transfer a victim’s phone number to an attacker-controlled SIM — enables attackers to receive SMS-based MFA codes. Houston business executives are high-value SIM swap targets. The defense: move executives and high-privilege accounts from SMS MFA to authenticator app or hardware key MFA.

Phishing-Resistant MFA: The Solution

Phishing-resistant MFA using FIDO2 hardware keys (YubiKey, etc.) or Windows Hello for Business cannot be bypassed by phishing proxies because authentication is cryptographically bound to the legitimate domain. SpaceTown IT deploys phishing-resistant MFA for high-privilege and high-risk accounts at Houston businesses.

Upgrade Your MFA

SpaceTown IT deploys and manages enterprise MFA for Houston businesses including phishing-resistant options. See also Entra ID Conditional Access. Call (832) 304-9748.