M365 MFA bypasses: are your token and auth controls keeping up?

TL;DR: Attackers are bypassing Microsoft 365 MFA by abusing long-lived tokens, legacy authentication, and missing token binding rather than malware, according to Abnormal AI. The real control failure is that many organisations still treat MFA as sufficient while session policy, reauthentication, and legacy protocol exposure continue to create post-login attack paths.

NHIMG editorial — based on content published by Abnormal AI: Microsoft 365 MFA bypasses through long-lived tokens, legacy auth, and posture gaps

By the numbers:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams reduce Microsoft 365 MFA bypass risk?

A: They should focus on the controls that make MFA meaningful after login: disable legacy authentication, shorten token lifetimes, and bind sessions to device context.

Q: Why do long-lived tokens create more risk than a failed password attack?

A: A failed password attack ends at the login screen, but a stolen token can preserve access after MFA and keep working until it expires or is revoked.

Q: What do teams get wrong about Conditional Access and legacy protocols?

A: They often assume Conditional Access covers all sign-ins equally, but legacy protocols can bypass the modern policy layer entirely.

Practitioner guidance

• Audit all enabled authentication protocols Identify every Microsoft 365 sign-in path that still accepts legacy authentication, then remove exceptions that bypass Conditional Access and MFA.
• Shorten token lifetimes and reauthentication windows Review default session settings for high-risk user groups and reduce the period in which a stolen token remains valid.
• Bind sessions to device context Use device binding or equivalent controls so a token captured on one endpoint cannot be replayed freely elsewhere.

What's in the full article

Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how Gamma App, BAV2ROPC, and Docusign-hosted phishing campaigns bypass MFA in Microsoft 365.
• Guided remediation steps for Continuous Access Evaluation, legacy authentication removal, and token binding.
• Posture management workflow detail showing how misconfigurations are discovered, prioritised, and remediated over time.
• Operational context on how Microsoft 365 settings drift silently and how to verify control coverage across tenants.

👉 Read Abnormal AI's analysis of Microsoft 365 MFA bypass through tokens and legacy auth →

M365 MFA bypasses: are your token and auth controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →