How MFA is Being Bypassed in Microsoft 365

Multi-factor authentication is widely deployed across Microsoft 365 tenants, yet account compromise continues at scale. 

This is not because MFA does not work. It is because attackers have largely stopped trying to defeat authentication itself. 

Instead, they operate after authentication. Session tokens, OAuth grants, and quiet configuration changes inside mailboxes give attackers everything they need to persist without triggering obvious alerts. Over the last 18 months, Microsoft and third-party threat research have shown this pattern repeatedly. MFA is being bypassed without being broken. 

This helps explains why organizations with strong password policies and universal MFA enforcement still experience business email compromise and lateral account abuse. 

Business Email Compromise Remains a High-Impact Risk 

Business email compromise continues to be one of the most costliest cybercrime categories globally. 

According to the FBI, BEC accounts for billions in reported losses each year, with most incidents tied to invoice fraud, wire transfer redirection, and vendor impersonation. 

The attack sequence is consistent across industries: 

• A user mailbox is compromised
• The attacker remains inactive to avoid detection
• Existing email threads and financial workflows are quietly monitored
• Legitimate conversations are hijacked at the moment of payment or approval

This is not opportunistic phishing. It is deliberate, context-aware fraud that depends on prolonged access inside Microsoft 365 mailboxes. 

That persistence, not credential theft, is exactly what modern MFA bypass techniques are designed to enable. 

Why MFA Alone Does Not Stop Modern Microsoft 365 Attacks 

Session Theft Enables MFA Bypass Without Credential Theft 

Adversary-in-the-middle phishing attacks proxy legitimate Microsoft sign-in flows in real time. Users authenticate successfully, complete MFA, and receive valid sessions tokens. Attackers capture those tokens and reuse them from another device or location. 

At that point: 

• Passwords are no longer required
• MFA challenges are not triggered again
• Sign-ins appear successful and legitimate in logs

MFA protects the moment of sign-in. It does not protect the session that follows unless additional controls are in place. 

OAuth Consent Attacks Create Persistent Access Paths

OAuth consent phishing relies on users approving access for malicious applications that impersonate legitimate services. Once consent is granted, those applications gain API-level access to mail, files, and calendar data. 

After consent is approved: 

• Password resets do not revoke access
• MFA re-registration does not remove access
• Mailbox rules and user behavior may appear unchanged

This attack path persists until enterprise application permissions are explicitly reviewing and revoked, which is why it often survives standard incident response steps. 

MFA Fatigue Still Works at Scale 

Push-based MFA remains vulnerable to approval fatigue. Repeated prompts increase the likelihood of accidental approval, particularly during high-volume work periods or off-hours. 

Microsoft guidance now treats number matching as a baseline control rather than an optional enhancement because it directly reduces unintended approvals without adding session complexity. 

What Attackers Do After Access Is Gained 

Once inside a tenant, attackers prioritize persistence and invisibility over speed. The goal is to stay present without disrupting normal activity or triggering security controls. 

Common post-compromise action include: 

• Mailbox rules created to suppress security notifications or hide specific users
• External auto-forwarding configured for quiet, ongoing data exfiltration
• Additional authentication methods added to maintain independent access
• OAuth applications registered to preserve long-term control

These techniques allow attackers to remain embedded long enough to observe financial workflows and impersonate legitimate activity, rather than triggering signals that lead to immediate investigation. 

Microsoft 365 Security Baseline for Modern Identity and Token-Based Attacks

These controls focus on where modern attacks actually succeed, not just how they begin. 

Adopt Phishing-Resistant Authentication

Phishing-resistant authentication methods materially reduce exposure to adversary-in-the-middle attacks by removing browser-bound credentials from the authentication flow. 

These methods include: 

• FIDO2 security keys
• Windows Hello for Business
• Certificate-based authentication
• Passkeys

Authentication occurs outside the browser session, which prevents tokens from being replayed by phishing infrastructure even after successful user interaction. 

Bind Session Tokens to Devices with Conditional Access

Conditional Access Token Protection binds Microsoft Entra session tokens to a specific device context. If a token is copied and replayed from another device or location, access fails. 

This control targets session theft directly rather than attempting to stop the initial phishing event. 

Apply Risk-Based Access Controls in Entra ID Protection

Risk-based access policies introduce automated intervention when sign-ins exhibit characteristics commonly associated with token theft or anonymized infrastructure. 

This approach is effective at detecting: 

• Session reuse from unfamiliar environments 
• Atypical sign-in behavior that completes successfully
• Access patterns that would otherwise appear legitimate in logs

Risk-based enforcement adds friction where it matters most, without treating all users or all sign-ins the same. 

Remove External Auto-Forwarding as a Default Capability 

External auto-forwarding remains one of the most reliable BEC persistence mechanisms. Disabling it tenant-wide and granting scoped exceptions removes a low-visibility data exfiltration path that attackers consistently abuse. 

Strengthen Defender for Office 365 Email Protections

Impersonation protection, Safe Links, and Safe Attachments reduces the volume of successful phishing attempts that reach inboxes. While these controls do not prevent MFA bypass on their own, they reduce exposure to the attack paths that leads to token theft and consent abuse. 

Control OAuth Consent and Govern Enterprise Applications

OAuth abuse does not surface through mailbox rules or traditional email indicators. It persists at the application and token level. 

Controls should include: 

• Restricting user consent to verified publishers and low-risk scopes
• Requiring administrative approval for broad or persistent permissions
• Regular review of enterprise applications with defined ownership and removal criteria

Effective app governance closes a persistence channel that standard account remediation does not address. 

Remove Conditions that Enable MFA Fatigue

Push-based MFA remains susceptible to accidental approval under repeated prompting. Enforcing number matching, monitoring for repeated failed challenges, and limiting approval-only methods reduces fatigue-driven acceptance without adding unnecessary friction to legitimate access. 

Security failures in Microsoft 365 are rarely caused by a single missing control. More often, they come from assumptions about where authentication ends and how trust is maintained afterward. 

MFA remains foundational. But its effectiveness depends on what surrounds it. Modern attacks operate inside authenticated sessions, relying on stolen tokens, delegated access, and quiet persistence rather than credential misuse. 

Organizations that design controls with these realities in mind, prioritizing session integrity, consent governance, and post-authentication visibility, reduce both the likelihood and impact of compromise without adding unnecessary complexity to their environments. 

Interested in understanding how these risks apply to your Microsoft 365 environment or learning more about our Security Assessment? The Sourcepass MCOE team can help you identify gaps across sessions, tokens, and OAuth access.