Multi-factor authentication is widely deployed across Microsoft 365 tenants, yet account compromise continues at scale.
This is not because MFA does not work. It is because attackers have largely stopped trying to defeat authentication itself.
Instead, they operate after authentication. Session tokens, OAuth grants, and quiet configuration changes inside mailboxes give attackers everything they need to persist without triggering obvious alerts. Over the last 18 months, Microsoft and third-party threat research have shown this pattern repeatedly. MFA is being bypassed without being broken.
This helps explains why organizations with strong password policies and universal MFA enforcement still experience business email compromise and lateral account abuse.
Business email compromise continues to be one of the most costliest cybercrime categories globally.
According to the FBI, BEC accounts for billions in reported losses each year, with most incidents tied to invoice fraud, wire transfer redirection, and vendor impersonation.
The attack sequence is consistent across industries:
This is not opportunistic phishing. It is deliberate, context-aware fraud that depends on prolonged access inside Microsoft 365 mailboxes.
That persistence, not credential theft, is exactly what modern MFA bypass techniques are designed to enable.
Adversary-in-the-middle phishing attacks proxy legitimate Microsoft sign-in flows in real time. Users authenticate successfully, complete MFA, and receive valid sessions tokens. Attackers capture those tokens and reuse them from another device or location.
At that point:
MFA protects the moment of sign-in. It does not protect the session that follows unless additional controls are in place.
OAuth consent phishing relies on users approving access for malicious applications that impersonate legitimate services. Once consent is granted, those applications gain API-level access to mail, files, and calendar data.
After consent is approved:
This attack path persists until enterprise application permissions are explicitly reviewing and revoked, which is why it often survives standard incident response steps.
Push-based MFA remains vulnerable to approval fatigue. Repeated prompts increase the likelihood of accidental approval, particularly during high-volume work periods or off-hours.
Microsoft guidance now treats number matching as a baseline control rather than an optional enhancement because it directly reduces unintended approvals without adding session complexity.
Once inside a tenant, attackers prioritize persistence and invisibility over speed. The goal is to stay present without disrupting normal activity or triggering security controls.
Common post-compromise action include:
These techniques allow attackers to remain embedded long enough to observe financial workflows and impersonate legitimate activity, rather than triggering signals that lead to immediate investigation.
These controls focus on where modern attacks actually succeed, not just how they begin.
Phishing-resistant authentication methods materially reduce exposure to adversary-in-the-middle attacks by removing browser-bound credentials from the authentication flow.
These methods include:
Authentication occurs outside the browser session, which prevents tokens from being replayed by phishing infrastructure even after successful user interaction.
Conditional Access Token Protection binds Microsoft Entra session tokens to a specific device context. If a token is copied and replayed from another device or location, access fails.
This control targets session theft directly rather than attempting to stop the initial phishing event.
Risk-based access policies introduce automated intervention when sign-ins exhibit characteristics commonly associated with token theft or anonymized infrastructure.
This approach is effective at detecting:
Risk-based enforcement adds friction where it matters most, without treating all users or all sign-ins the same.
External auto-forwarding remains one of the most reliable BEC persistence mechanisms. Disabling it tenant-wide and granting scoped exceptions removes a low-visibility data exfiltration path that attackers consistently abuse.
Impersonation protection, Safe Links, and Safe Attachments reduces the volume of successful phishing attempts that reach inboxes. While these controls do not prevent MFA bypass on their own, they reduce exposure to the attack paths that leads to token theft and consent abuse.
OAuth abuse does not surface through mailbox rules or traditional email indicators. It persists at the application and token level.
Controls should include:
Effective app governance closes a persistence channel that standard account remediation does not address.
Push-based MFA remains susceptible to accidental approval under repeated prompting. Enforcing number matching, monitoring for repeated failed challenges, and limiting approval-only methods reduces fatigue-driven acceptance without adding unnecessary friction to legitimate access.
Security failures in Microsoft 365 are rarely caused by a single missing control. More often, they come from assumptions about where authentication ends and how trust is maintained afterward.
MFA remains foundational. But its effectiveness depends on what surrounds it. Modern attacks operate inside authenticated sessions, relying on stolen tokens, delegated access, and quiet persistence rather than credential misuse.
Organizations that design controls with these realities in mind, prioritizing session integrity, consent governance, and post-authentication visibility, reduce both the likelihood and impact of compromise without adding unnecessary complexity to their environments.
Interested in understanding how these risks apply to your Microsoft 365 environment or learning more about our Security Assessment? The Sourcepass MCOE team can help you identify gaps across sessions, tokens, and OAuth access.