The "Silver Bullet" Myth: How Hackers Bypass MFA to Hijack Your Email

For years, Multi-Factor Authentication (MFA) has been touted as the "unhackable" shield for business email. We’ve been told that even if a hacker has your password, they can’t get in without that second "key" on your phone.

But in 2026, that shield is showing cracks. Hackers aren't "breaking" MFA; they are simply walking around it. Here is how they do it.

1. Adversary-in-the-Middle (AiTM) Phishing

This is the most sophisticated method currently dominating the landscape. Unlike old-school phishing pages that just steal passwords, AiTM uses a "reverse proxy."

• The Trap: You click a link in a convincing email (like a "shared document" or "HR update").

• The Proxy: You land on a page that looks exactly like your Microsoft 365 or Google login. It’s not a copy; the hacker’s server is literally "mirroring" the real login page to you in real-time.

• The Theft: You enter your password and your MFA code. The hacker’s proxy passes these to the real website, lets you log in, but grabs your session cookie on the way back.

With that cookie, the hacker doesn’t need your password or MFA ever again—they can just "paste" it into their own browser and they are you.

2. MFA Fatigue (The "Push Bombing" Attack)

Sometimes, the simplest path is just being annoying. If an attacker has your password, they will trigger MFA push notifications to your phone—repeatedly.

• The Tactic: They might send 50 notifications at 3:00 AM.

• The Result: Exhausted, confused, or just wanting the buzzing to stop, many users eventually hit "Approve" just to clear their screen.

• The Twist: Some hackers even follow up with a fake "IT Support" text or call, claiming they are "testing the system" and asking you to "just hit accept on the next prompt."

3. Session Hijacking via Infostealers

Hackers don't always need to trick you into a fake login. If they can get a small piece of malware (an "Infostealer") onto your computer—often hidden in a "free" software download or a malicious email attachment—they can go straight for the gold.

Most modern browsers stay logged into your email by storing session tokens. Infostealer malware simply zips up these token files and sends them to the hacker. They then "import" your session into their browser, bypassing the login screen (and the MFA prompt) entirely.

4. Consent Phishing (OAuth Abuse)

This is a "passwordless" attack. You receive a prompt asking you to "Grant Permissions" to a new app—perhaps something that looks like a "Meeting Scheduler" or "File Viewer."

When you click "Accept," you aren't giving away a password; you are granting a third-party application the right to access your inbox, read your contacts, and send emails on your behalf. Because you "consented," no MFA is triggered for the app's ongoing access.

How to Fight Back

If standard MFA isn't enough, what is?

• Phishing-Resistant MFA: Move away from SMS and simple "Push" notifications. Use FIDO2 hardware keys (like YubiKeys) or Passkeys. These are tied to the specific URL of the site, making proxy attacks impossible.

• Token Binding: Implement security policies that "bind" a session token to a specific device. If a hacker steals your cookie and tries to use it on their laptop, the server will reject it.

• Conditional Access: Set up rules that block logins from "impossible travel" (e.g., logging in from New York and then 10 minutes later from Eastern Europe).

• User Training: Like our friend Brian in the video, employees need to know that high pressure + an unexpected MFA prompt = a red flag.

Want to see if your team is vulnerable? Firestorm Cyber offers real-world phishing simulations to help your "Bobs" stay one step ahead of the hackers.