The most dangerous assumption in enterprise security today is that “we have MFA, so we’re covered.” Multi-factor authentication still matters, but the way many organizations deploy it—especially in regulated environments—has become predictable, interrupt-driven, and easy to exploit. Attackers have adapted to the human and operational realities of modern MFA. They don’t need to break encryption. They need to break routines. And increasingly, they succeed.

Why This Threat Is Accelerating Now

This pattern shows up across regulated business operations, which is why it belongs in Threat Intelligence discussions—not as a niche identity problem, but as an operational risk that changes how money moves, how systems are accessed, and how incidents unfold. MFA adoption has surged in law, finance, insurance, real estate, and healthcare for understandable reasons: auditors expect it, insurers ask about it, and regulators treat it as a baseline control. But the “checkbox” approach—turn on push notifications and move on—creates a false sense of maturity. Push-based MFA is convenient for users and cheap to deploy, which is precisely why it has become a primary target.

In operational terms, MFA can function like a guardrail or like a speed bump. When it becomes a speed bump—too frequent, too interruptive, too easy to approve on muscle memory—it stops serving as a security control and becomes a friction tax. Attackers exploit that friction. They understand that high-velocity work environments produce approval fatigue, and approval fatigue produces mistakes.

What “MFA Fatigue” Attacks Are, in Plain Language

MFA fatigue—also known as push bombing or prompt bombing—is a method where an attacker triggers repeated MFA prompts on a user’s device until the user approves one. The attacker typically already has the user’s password (from phishing, credential stuffing, or a prior breach). Once they have the password, they attempt logins repeatedly. Each attempt sends a push notification: “Approve sign-in?”

The goal is not technical sophistication. It is psychological pressure. After ten, twenty, or fifty prompts—often at the end of a long day, during travel, or while a user is in a meeting—some users will approve just to make it stop. Others will approve because the prompt arrives at a moment when they are attempting a legitimate login, creating confusion about which request is real. In a regulated business where email access can authorize wires, disbursements, or sensitive document sharing, one mistaken approval is all it takes.

The Four Primary MFA Bypass Methods Executives Should Know

Attackers rarely rely on a single technique. They combine methods based on the target’s controls, staff behavior, and response time. The most common bypass pathways fall into four categories: push fatigue, adversary-in-the-middle proxy attacks, SIM swapping, and help desk social engineering. For boards and executive teams, this sits squarely in the intersection of cyber risk and governance—exactly the lens typically reserved for an Executive Briefs conversation, because the failure mode is not “a tool didn’t work,” it’s “a process assumed trust that no longer exists.”

1) Push Bombing: Turning “Approve” into a Reflex

Push bombing works because it targets the human interface of authentication. A push prompt is designed for convenience. It assumes the user can reliably distinguish legitimate prompts from malicious ones. In practice, repeated prompts create decision fatigue and normalize approvals. This is especially potent in environments with frequent re-authentication—remote access, cloud email, case management platforms, virtual desktops, and line-of-business applications that time out aggressively.

In regulated industries, the operational pressure is constant: closings, filings, claims processing, patient throughput, end-of-month reconciliations. Under those conditions, users optimize for continuity. Attackers optimize for interruption. The collision favors the attacker.

2) Adversary-in-the-Middle Proxy Attacks: “EvilGinx-Style” MFA Bypass

Where push bombing exploits fatigue, adversary-in-the-middle (AiTM) proxy attacks exploit architecture. In these attacks, the victim is directed to a convincing login page controlled by the attacker. The page is not merely a fake form that steals credentials. It is a live proxy that relays the victim’s login to the real service in real time.

Here’s the key executive takeaway: with an AiTM proxy, the attacker can capture not only the password, but also the session token that proves the user completed MFA. Once the attacker has the token, they can often access the account without needing to trigger MFA again—because the system trusts the session. This is why organizations can experience an account takeover even though “MFA was enabled” and the user “never approved a prompt.” The user did complete MFA—just through a compromised conduit.

AiTM attacks are particularly effective against organizations that rely on push notifications or one-time passcodes. They are less effective against phishing-resistant MFA methods that cryptographically bind authentication to the legitimate site.

3) SIM Swapping: Stealing the Second Factor Itself

SIM swapping targets the dependency many organizations still have on SMS-based authentication or phone number recovery. An attacker convinces a mobile carrier to transfer a victim’s phone number to a SIM under attacker control. Once successful, the attacker can receive SMS codes and calls meant for the victim. They can also trigger password resets that route through text messages.

This method remains relevant because phone numbers are often treated as identity anchors across ecosystems. Even when an organization uses an authenticator app, a phone number can still be leveraged for account recovery. For regulated firms, this is not an edge case. Many help desk workflows and “break glass” recovery processes still rely on phone-based verification because it is easy to operationalize. Ease, again, becomes the weakness.

4) Help Desk Social Engineering: The Soft Target Inside Strong Controls

When attackers cannot bypass MFA through the user, they increasingly target the support layer. They impersonate employees, claim they lost a phone, insist they are locked out before a critical deadline, and pressure help desk personnel to reset credentials or re-enroll MFA.

This is not hypothetical. Identity-focused threat groups have demonstrated how effective these tactics are at scale. One of the most discussed examples is the Scattered Spider ecosystem, which has been associated with social engineering, MFA fatigue tactics, and help desk manipulation. CISA and partners published an updated advisory on Scattered Spider on July 29, 2025, emphasizing how modern intrusions often begin with identity compromise rather than malware.

For executives, the lesson is structural: the strength of your authentication program is constrained by your enrollment and recovery processes. If a determined attacker can talk their way through recovery, MFA becomes an obstacle, not a barrier.

Why Regulated Industries Are Uniquely Exposed

Regulated organizations often adopt MFA under compliance pressure. That pressure can produce a narrow definition of success: “MFA is turned on.” What is less frequently evaluated is whether the chosen MFA method resists the modern attack techniques described above. Push approvals and SMS codes can satisfy a requirement on paper while remaining vulnerable in practice. This is why MFA strategy belongs in Compliance & Risk planning: controls must be defensible not just to an auditor’s checklist, but against foreseeable, well-documented attack patterns.

There are also operational realities that make regulated sectors attractive. Title and real estate firms move money quickly and routinely. Law firms hold privileged data that can be extorted. Financial institutions manage identity data and high-value transactions. Healthcare environments operate with urgency and complex access patterns. In each case, attackers can monetize access rapidly—either through direct financial fraud or through extortion tied to sensitive data.

Finally, regulated industries often have a challenging mix of legacy systems and modern cloud services. That hybrid posture increases the number of login surfaces and the number of exceptions, which increases the number of opportunities to exploit MFA workflows.

A Real-World Pattern: Scattered Spider and the Identity-First Intrusion

Threat intelligence over the last several years has repeatedly reinforced a central theme: many high-impact incidents start with identity. Scattered Spider is frequently cited because it illustrates how attackers can blend social engineering, MFA fatigue, and help desk manipulation into an operationally repeatable playbook.

Importantly, this is not solely a “big tech” problem. The techniques scale down. If your organization relies on human approval of push prompts, if your help desk can override enrollment with limited friction, or if your recovery paths depend on phone numbers, the methods apply. The attacker does not need a zero-day. They need a process gap.

What “Phishing-Resistant MFA” Actually Means

There is a meaningful distinction between MFA and phishing-resistant MFA. Phishing-resistant methods—such as FIDO2/WebAuthn and hardware security keys—make it substantially harder for attackers to reuse captured credentials or tokens because authentication is bound to the legitimate service. In other words, even if a user is tricked into visiting a malicious site, the authentication mechanism won’t complete in a way the attacker can replay.

CISA has published practical, executive-relevant guidance on how to implement phishing-resistant MFA in real organizations. That guidance is worth treating as a baseline reference point, not an aspirational future-state document. It aligns closely with what attackers are doing today: CISA’s official guidance on implementing phishing-resistant MFA.

Practical Defensive Moves That Hold Up Under Real Attack

Executives and compliance leaders don’t need a technical manual; they need a defensible posture. The following measures materially reduce risk and are increasingly expected by insurers and sophisticated auditors.

First, prioritize phishing-resistant MFA (FIDO2/WebAuthn, hardware security keys, or device-bound passkeys where appropriate) for high-risk roles: executives, finance, IT administrators, and anyone who can initiate or approve money movement. If you cannot deploy across the entire organization immediately, deploy where compromise creates outsized loss.

Second, use number matching as an interim step if push-based MFA remains in place. Number matching changes the interaction from a reflexive tap to an intentional decision, reducing accidental approvals and complicating automated prompt bombing. It is not a perfect solution, but it is a measurable improvement.

Third, strengthen adaptive or conditional access policies. Treat logins as risk events, not binary successes. High-risk signals—new device, impossible travel, unusual IP reputation, anomalous geo-velocity, atypical access time—should trigger additional verification or outright blocks. This is where many “checkbox” MFA deployments fall short: MFA is enabled, but access policy remains permissive.

Fourth, harden help desk processes. Require stronger identity proofing for MFA resets and enrollment changes, especially for privileged users. Put guardrails around urgent requests. Implement call-back procedures using known-good numbers. Consider requiring managerial approval for changes to high-risk accounts. This is governance, not inconvenience—because the attack path is governance failure.

Fifth, train specifically for prompt bombing. Generic security awareness training tends to emphasize phishing links and suspicious attachments. Users also need clear guidance for MFA anomalies: what a prompt bombing pattern looks like, how to report it, and what “never approve an unexpected prompt” means operationally. Training should include the organizational response—so employees know reporting won’t stall their work indefinitely.

Forward Look: Why Waiting for an Incident Is the Wrong Trigger

Attackers are already operating beyond legacy MFA. The question is not whether your organization uses MFA, but whether your MFA methods are resilient to modern bypass techniques. MFA fatigue attacks, AiTM proxies, SIM swapping, and help desk social engineering are not edge cases—they are mainstream tactics because they work.

Regulated organizations are judged not only by the presence of controls, but by the reasonableness of those controls under foreseeable threat. Identity is now the primary battleground. Moving beyond legacy MFA is not an upgrade project for next quarter. It is an operational integrity decision that belongs on today’s risk agenda.

By Thomas McDonald