eastbaycyber

Looking Back: Identity Attacks and MFA Bypass

Threat digests 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-01
Week of 1 MAY 2026

This week reinforced a familiar lesson: identity-based attacks remain one of the fastest paths to compromise. Instead of relying on noisy malware or complex exploit chains, attackers keep focusing on account takeover, session hijacking, single sign-on abuse, and practical MFA bypass techniques that let them operate through trusted services.

This retrospective is not about one breach or one vendor. It is about the repeatable patterns that kept showing up and what security teams should do about them.

Valid accounts are still the fastest route

Identity-based attacks keep working because they compress the attack chain. Once an attacker gains access to a valid account, many downstream controls become less effective. Detection becomes harder because the activity may come from normal authentication flows, trusted SaaS apps, residential IP addresses, or legitimate cloud infrastructure.

The attacker no longer needs traditional persistence on an endpoint if they can persist in a tenant. They may not need privilege escalation on a workstation if weak role assignments already exist in the identity layer.

For defenders, identity is no longer just an IT access problem. It is part of the security control plane.

MFA helps, but attackers target the gaps around it

Many organizations still treat MFA as a box to check. In reality, MFA raises attacker cost only when the method is resilient and the surrounding workflows are hardened.

Most MFA bypass activity does not break MFA cryptographically. It bypasses it operationally.

Adversary-in-the-middle phishing

Proxy-based phishing remains one of the most effective ways to defeat traditional MFA. An attacker places a phishing proxy between the user and the real login flow, captures credentials, relays the MFA challenge in real time, and then steals the resulting authenticated session.

The user may complete MFA successfully, but the attacker still gets a usable cookie or token. That is why “MFA enabled” is not the same as “phishing-resistant MFA deployed.”

Push fatigue and prompt bombing

Attackers continue to abuse push-based MFA by sending repeated prompts until one is accepted. They often combine this with social engineering, such as fake help desk calls or urgent warnings that a prompt must be approved to prevent account lockout.

This works because it targets human behavior. If users are trained to approve prompts quickly without strong context, attackers will keep exploiting that weakness.

Session theft instead of credential theft

Another recurring pattern is session hijacking. In these cases, MFA may have worked during login, but the attacker later steals browser cookies, refresh tokens, or active sessions and avoids the MFA challenge entirely.

Infostealers, malicious browser extensions, and local compromise are common causes. Defenders should treat session artifacts as sensitive credentials, not as harmless browser data.

Abuse of recovery and fallback workflows

Attackers also target weaker recovery paths: password resets, device enrollment, support desk verification, legacy protocols, and app-specific passwords. Even when the primary login experience is well protected, these secondary paths can reopen the door.

In practice, the least-defended account recovery path often defines the real security posture.

Why these attacks keep working

The tactics evolve, but the strategic advantages stay the same.

First, identity attacks scale efficiently. A phishing kit, proxy framework, or token-stealing malware family can be reused across many targets.

Second, identity is trusted by design. Once inside a valid account, the attacker inherits business workflows, permissions, and application access. Security controls often assume authenticated users are legitimate.

Third, many organizations still have inconsistent controls. One group may enforce strong conditional access while another still allows legacy authentication. Administrators may be protected well, but contractors or lower-tier users may still have access that creates a foothold.

Finally, many teams collect identity telemetry without operationalizing it. Suspicious sign-ins, repeated MFA denials, new device registrations, risky OAuth consents, and impossible travel events may all be logged but not escalated fast enough.

For a broader look at how monitoring fits into incident detection, see how to build a practical security monitoring baseline.

The shift from endpoint compromise to trust abuse

One of the clearest patterns this week was the continued move from malware-first intrusion to trust-first intrusion.

That does not mean malware disappeared. It means malware is often being used to support identity theft. The real objective may be to capture credentials, tokens, browser artifacts, or device trust that unlocks email, file sharing, collaboration suites, admin portals, or cloud environments.

That shift often makes incidents look quieter than traditional compromise. Instead of obvious ransomware behavior, defenders may see:

  • mailbox rule creation
  • suspicious OAuth or consent activity
  • changes to forwarding settings
  • new MFA methods being registered
  • access from unusual devices
  • privilege changes in identity platforms
  • cloud resource access immediately after a suspicious sign-in

A quiet intrusion is not a harmless intrusion. In many cases, it means the attacker is trying to preserve access and avoid containment.

What this means for security teams

The practical lesson is simple: identity defense must be layered. Asking only whether MFA is enabled is not enough.

Better questions include:

  • Is the MFA method phishing-resistant?
  • Are session tokens protected and invalidated quickly when risk changes?
  • Are risky sign-ins investigated in near real time?
  • Are privileged roles isolated and protected with stronger authentication?
  • Are recovery and help desk workflows hardened against impersonation?
  • Is legacy authentication fully disabled?
  • Is application consent governed and reviewed?

These questions matter because modern identity compromise often happens in the seams: between login and session, between policy and exception, and between user action and platform trust.

What defenders can do next

Start with controls that actually raise attacker cost.

Move to phishing-resistant MFA

Prioritize hardware-backed security keys, passkeys, or other phishing-resistant methods for administrators, remote access users, and high-risk roles. Traditional push prompts and OTP codes are still better than passwords alone, but they should not be the long-term target state.

If your team is evaluating ways to protect employee accounts and public Wi-Fi usage at the same time, a VPN can be useful for travel and remote work, though it does not replace identity controls. Options like Check NordVPN pricing → or Try Proton VPN → may make sense for users who regularly connect from untrusted networks.

Reduce session risk

Shorten token lifetimes where practical, require reauthentication for sensitive actions, and monitor for token misuse. Session theft should be treated with the same urgency as password compromise.

Harden conditional access

Use device posture, location, risk signals, and user context to restrict access. Block legacy authentication completely. Apply stronger controls to privileged roles and high-value applications.

Lock down recovery and enrollment paths

Review password reset flows, MFA method changes, device registrations, and help desk verification procedures. Exception paths are attractive because they are often less monitored and less protected.

Monitor identity telemetry like security telemetry

Alert on repeated MFA denials, impossible travel, new OAuth consents, suspicious inbox rule creation, high-risk sign-ins, and unusual privilege changes. Identity logs should support active detection and response, not just audit requirements.

You may also want to review conditional access best practices for small teams for a practical starting point.

Protect administrative identities separately

Use dedicated admin accounts and stronger authentication requirements for administrative activity. Avoid mixing daily user activity with privileged access wherever possible.

Train users on realistic MFA abuse

Awareness training should cover push fatigue, fake support calls, proxied login pages, and how to report unexpected prompts immediately. Generic phishing advice is not enough anymore.

Rehearse account takeover response

Make sure incident response plans include session revocation, token invalidation, MFA reset procedures, mailbox review, consent grant review, and rapid privilege auditing after suspected compromise.

For endpoint cleanup after a suspected infostealer or browser compromise, a tool like Get Malwarebytes → can be helpful for affected users, especially in small environments without a full EDR stack.

Final takeaway

Looking back at this week, the lesson is clear: attackers do not need to “break in” if they can log in, steal a session, or exploit a weak recovery path. Identity remains the shortest route to control, and MFA only delivers its full value when it is phishing-resistant and supported by strong session, enrollment, and recovery protections.

The goal for defenders is not simply to add more prompts. It is to reduce opportunities for trust abuse across the full identity lifecycle.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-01

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.