Microsoft 365 MFA-Bypass Schemes: Protecting Your Business

Multi-factor authentication (MFA) is a critical layer of protection for online business accounts. MFA is a system that uses various methods to confirm a user’s identity — typically involving something the user knows, like a password, and something the user has, like a physical device.

However, none of the levels of MFA, even FIDO security keys, provide 100% protection from phishing attacks aiming to steal user information.

An email account breach first reported in August 2022 that Microsoft warned about later last year has been compromising Microsoft 365 accounts at an increasing rate. It is sometimes referred to as “session cookie theft.”

According to a report from IBM Security, ‘Cost of a Data Breach Report 2022,’ the average time to detect a data breach in 2022 was 207 days. An attacker often goes undetected for months before they make a costly strike.

How a Bypass Breach Can Happen

Someone in an organization receives a phishing email and clicks a link that directs them to a fake website that requests their Microsoft 365 credentials. The link could be to a SharePoint file, for example.

The cybercriminals have set up a middle (proxy) server between the user’s computer and Microsoft’s servers.

When the attack victim enters their credentials, the computer in the middle relays the username and password to Microsoft, and the normal MFA process occurs.

  1. Entering the code from an authenticator app works as expected.
  2. The normal cookie process takes place. Microsoft’s servers send a session cookie back to the user.

However, cybercriminals can intercept the cookie and add it to one of their computers. This gets them into the user’s email account without a username or password.

A session cookie is a text file that gets users back into their Microsoft 365 account without re-authenticating during the same browser session. A persistent cookie, invoked by the “Keep me signed in” option, gets a user back into their account even after closing a browser tab or rebooting their computer.

Session cookie theft for MFA bypass

Once the attackers have full access to an email account, they add a new Authenticator app or MFA device to the user’s Microsoft account for ongoing access.

They then scan emails and files for the biggest financial fraud opportunities. They can connect an email client to the Microsoft server and pull down all the user’s emails.

For good measure, they’ll search for the phishing email that triggered the breach and trash it to remove the evidence.

Cybercriminals often send new phishing emails to the compromised user’s contacts. To the recipients, these emails appear to come from a “trusted source.”

Mitigating the Risks With Conditional Access

Conditional Access is a licensed product available from Microsoft. It extends an organization’s security perimeter beyond a network perimeter to include user and device identity security.

It allows your MSP or IT team to use identity-driven signals in access control decisions.

At Fortis, we have developed a specific baseline configuration to bolster security and reduce the risk from MFA bypass and man-in-the-middle mechanisms. This configuration includes:

  • Location-specific login blocking
  • Fortis managed user account monitoring for indications of compromise
  • Blocking of legacy authentication protocols
  • Blocking of risky sign-in behaviors
  • Required multifactor authentication

Other Ways to Mitigate the MFA Bypass Risks

Ultimately, phishing attacks are only successful if someone clicks a link in a fraudulent email. However, it’s been increasingly difficult for users to separate the real from the fake.


Raise awareness with your employees to be diligent when receiving emails, even from known customers or contacts, to properly scrutinize the email before clicking any links. All suspicious emails must be reported to your MSP or IT team using the “Report Phishing” link in Outlook or Outlook Web Access.


Require employees to complete all Security Awareness Training (SAT) videos offered by your MSP or IT department.

Session Cookies

To clear session cookies when closing a tab, people can use “Incognito” mode in Chrome, “Private” mode in Firefox, or “InPrivate” mode in Edge browsers when using Outlook Web Access.

To avoid getting session cookies in the first place, a user can set the incognito mode to “Block all cookies.” However, this setting can be very inconvenient to the user.

Your Business IT Needs. Our Expertise.

Let’s discuss a tailored path to IT success

Private Cloud Data Center