MFA Bypass Campaign Targets Enterprise Cloud Accounts

Full summary

Security teams at multiple Fortune 500 companies have reported a coordinated phishing campaign that successfully bypasses time-based MFA (TOTP) and push-notification MFA. The technique is adversary-in-the-middle (AitM): the phishing site proxies the real login page and replays the captured MFA token within the 30-second validity window. Microsoft 365 and Okta tenants are seeing the highest volumes, though any IdP that accepts non-phishing-resistant factors is exposed. Push-notification fatigue ("MFA bombing") is also being used as a secondary technique. The only durable mitigation is phishing-resistant MFA: FIDO2 security keys, platform authenticators with WebAuthn, or certificate-based authentication.

Why it matters

TOTP and push MFA are no longer sufficient against capable adversaries. Organizations relying on these factors should treat them as a stepping stone, not a destination.

Technical explanation

The phishing kits use evilginx2-style reverse proxies and store captured session cookies indefinitely. Some samples even handle conditional access policies (geo / device-managed) by proxying the entire authentication flow including device-trust attestation.

Business impact

Insurance carriers are starting to require phishing-resistant MFA for coverage. Expect contractual obligations to follow.