How Cybercriminals Bypass Multi-Factor Authentication with Phishing Websites

In today’s digital world, using strong passwords and enabling multi-factor authentication (MFA) is considered essential for protecting your online accounts. But what if that still isn't enough?

You may be surprised to learn that cybercriminals can bypass MFA protections by tricking users into visiting malicious websites. In this blog post, we'll break down how attackers do this—using tools freely available online—and what you can do to stay safer.

Watch the Demo

Note: This information is for educational purposes only.
The following scenario was performed in a secure lab environment to demonstrate how these attacks work so you can better defend against them.

The Attack in Action: A Step-by-Step Breakdown

1. The Phishing Email

The attack begins with a carefully crafted phishing email. The victim receives a message prompting her to log into her Microsoft Office 365 account. Unaware of the threat, she clicks the link.

2. The Fake Login Page

The link leads to a malicious server that sits between the user and the real service. When the victim visits the fake domain, the malicious server fetches the real login page from Microsoft and forwards it to the user. So the users think they are visiting the target site. As the victim enters her username and password, the attacker’s server captures the credentials in real-time.

3. MFA Prompt and Cookie Theft

Next, the victim is prompted to enter her MFA code from an authenticator app. She enters the code, thinking everything is normal. But behind the scenes, the attacker uses a man-in-the-middle proxy to steal her session cookies—the small pieces of data that websites use to keep users logged in.

4. Hijacking the Session

With the stolen cookies in hand, the attacker opens a new browser session and injects those cookies using a browser plugin. Once refreshed, the attacker is fully logged into the victim’s account—without needing the password or MFA code.

Why MFA Isn’t Foolproof

This attack illustrates a key weakness in MFA: it protects against unauthorized logins, but not if the attacker can hijack your session after you authenticate. As long as the attacker can act as an invisible proxy between you and the real website, they can steal both your login and your active session.

How to Protect Yourself

Never click on suspicious links.
Be cautious with emails or messages urging you to log in quickly or click on links. When in doubt, navigate to the site manually.
Use a phishing resistent MFA
FIDO2 (Fast Identity Online) security keys (z.B. Yubikey) and Passkeys offer additional protection by binding the login to a physical device and verifying the website you are connecting to. This makes it significantly harder for attackers to silently insert themselves between you and the legitimate website.
Enable session monitoring and alerts.
Some services offer notifications when your account is accessed from a new location or device. Enable these whenever possible.
Educate your team.
Phishing is a social engineering attack. Regular security training can drastically reduce the chances of someone falling for a scam.

Our Trainings

Final Thoughts

Multi-factor authentication is still a crucial layer of defense, but it’s not invincible. As shown in this demonstration, attackers can exploit users with sophisticated phishing tools that look and feel legitimate.

The best protection is a combination of technology and awareness. Stay vigilant, and when in doubt, don’t click.

If you found this helpful, feel free to share it with your colleagues. Stay safe out there!

FAQ

How do I protect myself against phishing websites?

Do not click links in suspicious emails
Check URLs carefully (look for https and the correct domain)
Do not enter personal data on insecure websites
Enable antivirus and browser protection
Use multi-factor authentication (MFA)
Change passwords regularly and use strong passwords

What is MFA?

Multi-Factor Authentication (MFA) is a security process where users must provide two or more different types of authentication information to confirm their identity when logging in. This increases account security.

Common authentication factors are:

Knowledge factor (something the user knows)
e.g., password, PIN
Possession factor (something the user has)
e.g., smartphone with authenticator app, hardware token, SMS code
Inherence factor (something the user is)
e.g., fingerprint, facial recognition

What is Phishing-Resistant MFA?

Phishing-resistant MFA is an advanced authentication method designed to prevent credential theft through phishing attacks.

Even if an attacker obtains the username and password, they cannot access the account without the second authentication factor.

Features:

Use of hardware security keys (e.g., FIDO2/WebAuthn)

What is FIDO2?

FIDO2 is an open authentication standard that enables passwordless or more secure multi-factor authentication using strong public-key cryptography.

It was developed jointly by the FIDO Alliance and W3C and mainly consists of two components:

WebAuthn (Web Authentication API)

– a standardized interface between browsers and servers

CTAP (Client to Authenticator Protocol)

– a communication protocol between devices (e.g., security keys or biometric devices) and the browser

FIDO2 allows users to authenticate with hardware security keys (USB, NFC, Bluetooth) or biometric features (fingerprint, facial recognition) without relying on traditional passwords. This greatly improves account security and effectively prevents phishing attacks.

Based on public-key cryptography instead of just SMS or one-time passwords (OTP)
Prevents attackers from stealing the second factor via fake websites

In short, phishing-resistant MFA significantly enhances account security and is especially effective against phishing attacks.

What is a Man-in-the-Middle Proxy?

A Man-in-the-Middle Proxy (MITM Proxy) is a tool or technique where an attacker intercepts, monitors, or manipulates communication between two parties (e.g., user and server).

In brief:

The attacker positions themselves as an intermediary, pretending to both parties that they are communicating directly with each other.
The proxy can capture, record, or alter data such as passwords, messages, or files.
This often occurs in insecure Wi-Fi networks, compromised routers, or via malware on the device.

MITM proxies are also used by security experts to test system vulnerabilities.

What are Session Cookies?

Session cookies are small pieces of data temporarily stored on a user’s device to maintain state during a browser session. They help websites recognize users during visits, e.g., to keep login status or shopping cart contents.

Characteristics:

Stored only temporarily and deleted after closing the browser
Mainly serve session management and user identification
Do not store long-term personal data

What are Security Keys (e.g., YubiKey)?

Security keys (e.g., YubiKey) are physical hardware devices used for multi-factor authentication (MFA) to increase account security. Users insert or wirelessly connect the device during login to confirm their identity.

These keys often support standards like FIDO U2F and FIDO2 and effectively protect against phishing attacks and account takeovers.

YubiKey is a well-known example of such a security key. It is small, supports various connection methods like USB and NFC, and is widely used to protect online accounts.

What are Passkeys?

Passkeys are a modern, passwordless authentication method supported by major tech companies like Apple, Google, and Microsoft. They rely on public-key cryptography and replace traditional passwords with secure digital keys.

Features of passkeys:

Stored locally on devices, e.g., smartphones or computers
Use biometric data (fingerprint, facial recognition) or device PIN for approval
Resistant to phishing because no passwords are transmitted
Can be synchronized across devices for easy login

Passkeys greatly improve the security and usability of online sign-ins and are an important step toward a passwordless future.