You did the right thing. After much frustration, headache, and pushback, you rolled out multi-factor authentication (MFA), required stronger passwords, and finally felt like your business had a real security foundation.
But here is the uncomfortable reality: basic MFA is no longer enough.
We call this the “Invincibility Lie." The belief that adding a second factor makes your business secure. In today’s threat landscape, attackers are not breaking in. They are logging in. At Argus Cybersecurity and Support, we see this shift every day. Businesses across industries are being compromised despite having MFA in place. Because not all MFA is designed to stop modern attacks. The unfortunate reality is that the attackers evolve their techniques the same way we create better protections.
The Real Target: Your Session, Not Your Password
Most cyberattacks still begin with stolen credentials, but that is no longer the end goal.
Attackers are now targeting session tokens: temporary authentication credentials issued after login. These tokens allow users to stay signed in without re-entering passwords or MFA. If an attacker steals a valid session token, they can:
Bypass MFA entirely
Access email, files, and cloud systems
Operate as a legitimate user without triggering alarms
This technique is now widely used in advanced phishing campaigns.
The Data Behind the Shift
Microsoft has reported that MFA can block over 99.9% of automated account attacks, but only when implemented securely.
According to recent industry reports, adversary-in-the-middle (AiTM) phishing kits have become widely available, lowering the barrier for attackers.
Verizon’s Data Breach Investigations Report consistently shows that over 70% of breaches involve stolen or compromised credentials.
The takeaway: MFA is still critical, but attackers have adapted.
How Attackers Bypass Basic MFA
MFA Fatigue (Push Bombing)
In this attack, a user is bombarded with repeated login prompts after an attacker obtains their password. Eventually, the user approves a request, often by mistake.
This method gained widespread attention after the 2022 Uber breach, where an attacker repeatedly sent push notifications until an employee accepted one. That single action granted internal access.
Why it works:
Users are conditioned to approve prompts quickly.
Fatigue and distraction lead to mistakes.
Basic MFA relies too heavily on user judgment.
Adversary-in-the-Middle (AiTM) Attacks
AiTM attacks are now one of the most dangerous threats to businesses using cloud services like Microsoft 365.
Here is how they work:
The user clicks a phishing link.
They are taken to a realistic login page controlled by the attacker.
The attacker relays credentials and MFA responses to the real service in real time.
The attacker captures the session token after authentication.
This technique has been used in large-scale campaigns targeting Microsoft 365 accounts, allowing attackers to access email, set up inbox rules, and initiate financial fraud without triggering typical security alerts.
Why This Matters for Your Business
This is not just an IT issue. It is a business risk. If an attacker accesses sensitive systems using a valid session, your organization may face:
Data breach notification requirements under laws like Kentucky’s KRS 365.732
Legal and forensic investigation costs
Loss of customer trust and reputational damage
Denied cyber insurance claims due to inadequate controls
Many insurers now explicitly require phishing-resistant MFA for coverage eligibility. Simply having MFA is no longer enough to meet that standard.
What Strong MFA Looks Like Today
To defend against modern threats, MFA must be phishing-resistant. This means it cannot be easily intercepted, replayed, or approved accidentally.
Number Matching
Number matching improves traditional push-based MFA by requiring users to enter a number displayed on their login screen.
This prevents blind approvals and stops MFA fatigue attacks because:
The attacker does not see the number.
The user must actively verify the login attempt.
It is a simple but highly effective upgrade.
FIDO2 Security Keys
FIDO2-based authentication (such as YubiKeys) is currently the gold standard. These hardware keys:
Bind authentication to the legitimate website domain
Do not transmit reusable credentials
Cannot be tricked by phishing or AiTM proxies
Even if a user is fooled into visiting a fake site, the authentication will fail. For executives, finance teams, and administrators, this is one of the most effective protections available today.
How Argus Helps Businesses Stay Protected
Cybersecurity is not a one-time deployment. That would be convenient, however, it is an ongoing process. At Argus, we focus on:
Continuous monitoring: Detecting anomalies like impossible travel and suspicious session activity
Strategic planning: Aligning your security controls with compliance and cyber insurance requirements
User training: Teaching employees how to recognize modern phishing tactics and social engineering attacks
Your MFA Hardening Checklist
To reduce risk immediately:
Eliminate SMS-based MFA wherever possible
Enable number matching in your authenticator platform
Deploy FIDO2 security keys for high-risk users
Review cyber insurance requirements for MFA standards
Conduct a security assessment to identify identity and access vulnerabilities
Not sure if your current MFA setup would hold up?
Final Thought
MFA remains one of the most important security controls, but only when implemented correctly. Attackers have evolved beyond password guessing. They are exploiting gaps in how authentication is deployed and used. If your MFA strategy has not been updated in the past year, there is a good chance it is no longer aligned with today’s threats. The goal is not just to have MFA.
It is to have MFA that attackers cannot bypass.