Introduction
In the last two years, attackers turned MFA bypass into a business. Phishing kits intercept tokens in real time. Fatigue tactics grind users until they click “approve.” SIM swaps take minutes, not hours. From ransomware crews to state operators, bypass is now routine. This dossier tracks how the techniques spread, the breaches they drove, and what defenders must change before the next wave lands.
Historical Evolution
- Before 2020: MFA bypass was crude. SIM swaps and basic phishing.
- 2021–2022: Lapsus$ showed how push bombing breaks people, not systems. Uber, Cisco, and Okta all fell. Several core members were later identified and prosecuted, but copycats and derivative crews continue to use their tradecraft.
- 2023: Infostealers like RedLine harvested session tokens. Evilginx matured from PoC to weapon.
- 2024–2025: Kits like Tycoon 2FA industrialized bypass. State groups added social engineering at scale. Governments began forcing phishing-resistant MFA into policy.
Technical Breakdown
- Adversary-in-the-Middle (AiTM): Reverse proxies intercept logins and cookies. Tycoon 2FA set the pace.
- Session Hijacking / Token Theft: Infostealers and malware pull tokens from browsers and apps, keeping sessions alive after passwords change.
- MFA Fatigue: Repeated prompts wear people down until one goes through.
- SIM Swapping: eSIM provisioning shrank attack time from hours to minutes. Voice cloning beats carrier checks.
- Vendor Flaws: Azure’s “AuthQuake” bug extended TOTP windows, making brute-force bypass practical.
- App-Specific Passwords: Russian campaigns abused Google’s feature to sidestep MFA altogether.
Case Studies
- Scattered Spider (2025): FBI and CISA confirmed the group blended SIM swaps, fatigue, and helpdesk impersonation to breach enterprises.
- Azure AuthQuake (2024): Oasis Security exposed a misconfigured MFA timer that enabled silent brute-force.
- APT29 vs Gmail (2025): Google tied Russian operators to a campaign tricking academics into generating app-specific passwords.
- Tycoon 2FA Campaigns (2024–2025): Proofpoint tracked phishing-as-a-service campaigns bypassing MFA across thousands of orgs.
- Change Healthcare (2023–2024): Attackers exploited missing MFA controls to infiltrate critical systems. Congressional testimony confirmed stolen credentials were used against a Citrix portal lacking MFA. The breach disrupted nationwide healthcare payment processing, forcing hospitals into manual billing and costing UnitedHealth an initial $872M — later revised to over $2.8B by the end of 2024.
- Crypto.com (2022): Attackers bypassed 2FA on January 17, 2022, compromising 483 accounts and stealing $34M.
- Coinbase (2021): Between March and May 2021, attackers exploited SMS recovery flaws to drain funds from over 6,000 accounts.
- Uber (2022): Contractors pushed into MFA fatigue gave attackers internal access.
- Cisco (2022): MFA bombing paired with voice phishing compromised corporate edge systems.
- Okta (2022): Lapsus$ spammed a support engineer with prompts until RDP access was approved, impacting 366 customers.
Strategic Implications
For Defenders
- Enforce phishing-resistant MFA (FIDO2, WebAuthn, hardware keys).
- Retire SMS and push-only methods.
- Monitor for token replay and impossible-travel sessions.
- Lock down helpdesk reset workflows.
- Shorten token lifetimes and bind refresh to managed devices.
For Regulators
- Push phishing-resistant standards into critical sectors.
- Force telecom accountability on SIM swap prevention.
- Require breach reporting that includes authentication bypass vectors.
For Attackers
- MFA bypass is affordable, scalable, and available as a service. Kits and malware will keep lowering the bar.
Future Outlook
- AI impersonation: Voice cloning and deepfakes will erode trust in verification calls and video ID.
- Phishing-as-a-Service growth: Kits will add automated token replay and machine-learning evasion.
- Hardware keys: Enterprises will migrate toward TPMs and cryptographic devices as baselines.
- Regulatory lag: Compliance moves slow. Attackers will enjoy a multi-year window before mandates close.
Conclusion
MFA is not broken but it is no longer enough. Attackers treat bypass as routine. Defenders still treat MFA as victory. That gap is why breaches keep landing. Real progress will be measured in tokens invalidated, resets denied, and replay stopped in motion. Until organizations move to phishing-resistant authentication and harden recovery, MFA bypass will remain one of the fastest ways in.
References
Source: FBI IC3 & CISA
Title: “Joint Cybersecurity Advisory – Scattered Spider Operations”
Date: July 2025
URL: https://www.ic3.gov/CSA/2025/250729.pdf
Source Type: Government Threat Advisory
Attribution Confidence: High
Source: Oasis Security
Title: “Oasis Security Research Team Discovers Microsoft Azure MFA Bypass”
Date: December 2024
URL: https://www.oasis.security/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass
Source Type: Vulnerability Research
Attribution Confidence: High
Source: Microsoft
Title: “Microsoft Digital Defense Report 2024”
Date: October 2024
URL: https://hallboothsmith.com/microsofts-digital-defense-report-2024/
Source Type: Vendor Threat Report
Attribution Confidence: High
Source: Google Threat Intelligence Group
Title: “Russian Hackers Bypass Gmail MFA with App-Specific Password Ruse”
Date: June 2025
URL: https://www.securityweek.com/russian-hackers-bypass-gmail-mfa-with-app-specific-password-ruse/
Source Type: Vendor Threat Report
Attribution Confidence: High
Source: Proofpoint Threat Intelligence
Title: “Tycoon 2FA Phishing Kit: MFA Bypass Campaigns”
Date: January 2025
URL: https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass
Source Type: Vendor Campaign Analysis
Attribution Confidence: High
Source: CISA
Title: “Guidelines for Preventing MFA-Evading Phishing Attacks”
Date: February 2025
URL: https://blog.softwarfare.com/cisa-publishes-guidelines-for-preventing-mfa-evading-phishing-attacks
Source Type: Government Guidance
Attribution Confidence: High
Source: ERMProtect
Title: “The Top 2024 Cyber Incidents: Lessons Learned and Key Cyber Strategies for 2025”
Date: January 2025
URL: https://ermprotect.com/blog/the-top-2024-cyber-incidents-lessons-learned-and-key-cyber-strategies-for-2025/
Source Type: Incident Analysis
Attribution Confidence: Medium
Source: Eclypses
Title: “Hackers Are Bypassing Multi-Factor Authentication Security”
Date: 2024
URL: https://eclypses.com/news/hackers-are-bypassing-multi-factor-authentication-mfa-security/
Source Type: Vendor Analysis
Attribution Confidence: Medium
Source: Beyond Identity
Title: “Using Push Notifications for MFA Is a Security Liability”
Date: 2023
URL: https://www.beyondidentity.com/resource/using-push-notifications-for-mfa-is-a-security-liability
Source Type: Vendor Guidance
Attribution Confidence: Medium