MFA bypass attacks expose the limits of session-based trust

At a glance

What this is: This is an independent analysis of MFA bypass attacks, showing how token theft and session hijacking let attackers sidestep otherwise strong authentication.

Why it matters: It matters because IAM teams must treat device trust, session lifetime, and privilege separation as part of identity security, not as optional hardening around MFA.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

👉 Read Axiad's analysis of Microsoft's warning on MFA bypass attacks

Context

MFA bypass attacks exploit a simple weakness in many identity programmes: authentication succeeds, but the session becomes the new trust boundary. When attackers steal tokens or cookies from unmanaged devices, they do not need to break the login flow itself, only the assumption that a valid session is still trustworthy after issuance.

For IAM teams, this is not just a user-authentication problem. It affects human identity controls, privileged access separation, and the governance of cloud sessions that can be replayed outside the organisation’s security perimeter. The article is focused on a common and widely observed control gap, not an edge case.

The same pattern also exposes broader identity blind spots. Device posture, conditional access, and privileged session handling have to work together, or MFA becomes a speed bump rather than a boundary.

Key questions

Q: How should security teams reduce the risk of MFA bypass attacks?

A: Security teams should combine phishing-resistant MFA, device compliance checks, and shorter session lifetimes so a stolen token has less value. They should also separate privileged identities from ordinary accounts and monitor for replayable session artefacts. MFA is only one layer, and it weakens quickly if the session itself is not governed.

Q: Why do unmanaged devices increase the risk of token theft?

A: Unmanaged devices often lack the security controls needed to stop cookie theft, malware, or session replay. When users authenticate on personal endpoints, attackers can steal browser session artefacts without needing the password. That makes endpoint trust part of identity trust, especially for cloud applications and privileged access.

Q: What breaks when organisations rely on MFA alone?

A: MFA alone breaks down when attackers capture the authenticated token or cookie after login and reuse it elsewhere. The organisation may still believe authentication succeeded, but the session is already compromised. This is why identity programmes need conditional access, device posture, and privileged session controls together.

Q: Who is accountable when a stolen session leads to tenant compromise?

A: Accountability usually spans IAM, endpoint security, and application owners because the failure crosses authentication, device trust, and privilege design. A stolen session that reaches tenant control is not a single-team issue. It shows that governance must cover session duration, privileged identity separation, and detection of abnormal token use.

Technical breakdown

Adversary-in-the-middle MFA bypass

Adversary-in-the-middle, or AiTM, attacks place a malicious proxy between the user and the real application. The proxy captures credentials and the MFA token in transit, then forwards the authenticated session to the attacker. Tools such as Evilginx2 are commonly used for this pattern because they preserve the victim’s normal login experience while silently harvesting reusable session artefacts. The security issue is not weak MFA alone, but the fact that the session token becomes portable once issued.

Practical implication: require phishing-resistant MFA for privileged users and applications where session replay would be high impact.

Pass-the-cookie and browser session theft

Pass-the-cookie attacks target authenticated browser cookies instead of passwords. If an unmanaged device is compromised, an attacker can copy the browser cookie and reuse it in another session, bypassing the original authentication checks. This works because cookies often represent an already-approved identity state, not an ongoing trust decision. The article’s key point is that MFA completion does not protect a session if the session artefact itself can be stolen from the endpoint.

Practical implication: shorten session lifetime, enforce device controls, and block corporate access from unmanaged endpoints where feasible.

Privilege segregation and token blast radius

The article highlights that stolen tokens become far more dangerous when they belong to Global Admins, Billing Admins, or Authentication Admins. In identity terms, the issue is blast radius, not just access. A valid token for a privileged role can enable tenant takeover, security configuration changes, and access to finance or productivity systems. Separating privileged users into cloud-only identities reduces the chance that an on-premises compromise cascades into full tenant control.

Practical implication: split privileged identities from everyday user accounts and monitor for high-risk role use and tenant modifications.

Threat narrative

Attacker objective: The attacker wants a reusable authenticated session that bypasses MFA and grants access to privileged cloud resources without needing the password again.

1. Entry occurs when the attacker positions an adversary-in-the-middle proxy or steals a browser cookie from an unmanaged personal device.
2. Credential access happens when the victim completes MFA and the attacker captures the resulting token or session artefact for reuse.
3. Impact follows when the attacker replays the token to access high-privilege cloud accounts, alter tenant settings, or move into sensitive applications.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Internet Archive breach — unsecured GitLab authentication tokens exposed 31M Internet Archive accounts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Session trust is now the real identity boundary. MFA proves authentication happened, but it does not guarantee that the session remains trustworthy after the token is issued. That makes token theft, cookie replay, and unmanaged-device exposure governance problems, not just endpoint problems. Practitioners should treat session state as an identity asset with its own control requirements.

Privilege separation matters more once MFA can be bypassed. A stolen session for a standard user is bad; a stolen session for a Global Admin can become tenant compromise. The article shows why standing privilege in cloud identity is the real escalation multiplier. IAM programmes that do not separate privileged identities and monitor their use are accepting unnecessary blast radius.

Conditional access only works when device trust is real. The article’s recommendations rely on device visibility, security baselines, and controls that distinguish managed from unmanaged endpoints. That means identity policy cannot be isolated from endpoint posture, because a valid MFA session from an untracked personal device is materially weaker than the same session from a controlled corporate device. Practitioners should align access policy with endpoint trust signals.

Session replay is a governance failure, not a single control failure. The pattern exposes a broader weakness in many programmes: authentication is verified once, then treated as durable. That assumption fails when attackers can steal a token and use it outside the original context. The implication is that IAM teams must govern how long a session remains valid, who can replay it, and where it can be used.

Identity attack surface is expanding beyond passwords. The shift from password theft to token theft shows that the attack surface now includes browser state, session lifetime, and privileged role design. This is where the article connects human IAM to NHI thinking: the same discipline that governs secret exposure and rotation also applies to session artefacts and trust boundaries. Practitioners should widen identity controls beyond login events.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For the deeper control model, review 52 NHI Breaches Analysis for recurring failure patterns across identity compromise and privilege abuse.

What this signals

Session governance is becoming a first-class identity control. As MFA bypass methods mature, programmes that treat authentication as a one-time event will keep missing the real risk. The practical shift is toward continuous evaluation of device trust, token lifetime, and privileged session scope, because those controls define whether a login remains defensible after initial success.

Identity teams should expect more overlap between human IAM and NHI-style control thinking. Tokens, cookies, and other session artefacts behave like reusable secrets once stolen, which means governance models built around secret handling, blast radius reduction, and revocation now apply more broadly to human sessions. That is why identity programmes need shared policy language across users, workloads, and privileged operators.

Session artefacts create identity debt. The longer a token remains valid, the larger the compromise window becomes, especially on unmanaged devices and in privileged cloud roles. Teams that can measure where sessions persist, where they can be replayed, and which roles can be hijacked are better positioned to reduce exposure before an attacker turns one login into tenant-wide access.

For practitioners

• Deploy phishing-resistant MFA for privileged access Require stronger authentication methods for administrators and high-risk business applications, especially where token replay would expose tenant-level control. Keep legacy MFA out of privileged paths whenever possible.
• Reduce the value of stolen sessions Shorten session lifetime, enforce reauthentication for sensitive operations, and block access from unmanaged devices when corporate policy allows. Pair conditional access with device compliance signals so a token is not the only trust signal.
• Separate privileged identities from daily-use accounts Move Global Admins, Billing Admins, and Authentication Admins into dedicated cloud-only identities and watch for role changes, tenant modifications, and suspicious token activity.
• Instrument detection for token abuse patterns Alert on high-severity identity events, token re-use anomalies, and changes to security configurations, Exchange transport rules, and privileged roles. Use those signals to drive rapid revocation and session invalidation.

Key takeaways

• MFA bypass attacks show that authentication alone is not enough when tokens and cookies can be stolen after login.
• Privileged identities create the biggest blast radius, so session replay against admins is materially more dangerous than ordinary account compromise.
• The control that matters most is the combination of phishing-resistant MFA, device trust, short session lifetimes, and privileged identity separation.

Key terms

• Adversary-in-the-Middle Attack: An adversary-in-the-middle attack inserts a malicious proxy between the user and the real service so credentials and session artefacts can be captured in transit. In identity terms, the login may appear valid while the attacker quietly steals the token needed to replay the session elsewhere.
• Pass-the-Cookie Attack: A pass-the-cookie attack reuses a stolen browser cookie to impersonate an already authenticated session. The attacker does not need the password if the cookie still represents a live identity state. This is especially dangerous when the cookie belongs to a privileged account or an unmanaged device.
• Session Replay Risk: Session replay risk is the chance that a valid authentication artefact can be copied and used again from another device or browser. It matters because many identity controls verify the login event, not the continued legitimacy of the session after authentication has finished.
• Privileged Identity Separation: Privileged identity separation means keeping administrative access distinct from everyday user identities so compromise does not automatically grant high-impact permissions. In practice, it reduces blast radius, makes monitoring clearer, and gives security teams a cleaner way to govern high-risk cloud roles.

Deepen your knowledge

MFA bypass attacks and session trust are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your identity programme is still centred on login-time verification, this course helps you broaden the model to tokens, sessions, and blast radius.

This post draws on content published by Axiad: Microsoft's warning about how hackers are bypassing MFA. Read the original.