State-of-the-art phishing: MFA bypass and planning for the next generation of attacks

Johan Blaix
Sep 8, 2025
Cybersecurity

Passwords are no longer enough - and now, even multi-factor authentication (MFA) is being bypassed. Attackers can intercept SMS codes, steal tokens from authenticator apps, and capture session cookies to slip past MFA protections unnoticed. What was once seen as a strong defence is now actively targeted by advanced phishing campaigns.

A new generation of phishing kits uses “adversary-in-the-middle” (AiTM) techniques, proxying the entire login flow. Victims believe they are signing in securely, but the attacker is silently relaying their credentials and MFA codes to the real service, hijacking the authenticated session in real time.

As Rafik Kattoum, Infrastructure Manager at Penta, cautions, “The industry cannot afford to treat MFA as a final layer of protection. It is vital to plan for what happens when that layer is breached.”

MFA Under Attack: Common Bypass Techniques

  • SMS Interception — Attackers hijack one-time passcodes sent via text messages, often through SIM-swapping or malware.
  • Authenticator App Token Theft — Malicious apps or phishing sites trick users into revealing time-based one-time passwords (TOTP).
  • Session Cookie Hijacking — AiTM kits capture session tokens after a successful login, letting attackers impersonate users without needing credentials again.

 

What to Do Next: Strengthening MFA in the Age of Phishing

Even though attackers are finding new ways to bypass MFA, there are practical steps organisations can take to stay resilient:

  • Adopt phishing-resistant MFA. Use hardware security keys (FIDO2, WebAuthn, or smartcards) or built-in device authenticators instead of SMS codes.
  • Limit session lifetimes. Shorten token validity and require re-authentication for high-risk actions.
  • Monitor for session hijacking. Use behavioral analytics and anomaly detection to spot impossible logins or suspicious session reuse.
  • Harden mobile devices. Educate users about SIM-swapping risks, enforce mobile OS updates, and encourage the use of authenticator apps instead of SMS where hardware keys aren’t available.
  • Train and test regularly. Run phishing simulations and security awareness programs to keep employees alert to real-world tactics.
  • Adopt zero trust principles. Assume compromise is possible and enforce continuous verification, least-privilege access, and strong network segmentation.

By recognising that passwords and basic MFA alone are no longer enough, organisations can build layered defences that anticipate attacker innovation – and stay one step ahead.

Phishing is no longer just about tricking users into giving up a password – it is now about undermining the very safeguards designed to replace passwords. Organisations that rely solely on MFA as a security panacea risk being caught off guard. Instead, a holistic strategy that combines phishing-resistant technologies, adaptive monitoring, and rehearsed response plans will be essential to withstand the next generation of attacks.
Johan

Johan Blaix

Manager - Service & Client Relationship

Johan Blaix is a cyber strategist focused on emerging threats, digital risk, and the future of secure infrastructure. With a background in security operations and years of experience advising financial organisations, Johan helps bridge the gap between complex technical research and practical business insight. His work explores how attackers adapt, how defenders can stay one step ahead, and why resilience matters just as much as prevention.

Connect with Johan

Topics

Related Posts