Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD1.2 MFA: What It Actually Protects Against

5-6 hours · Module 1 · Free
Operational Objective
MFA is often presented as a silver bullet — enable it and your accounts are safe. That's dangerously incomplete. MFA stops credential-based attacks where the attacker only has the password. It does NOT stop adversary-in-the-middle attacks where the attacker captures the fully authenticated session token, SIM swap attacks that redirect phone-based verification, or MFA fatigue attacks where the user is socially engineered into approving a malicious prompt. An IT administrator deploying MFA needs to understand both what it protects against (which is enormous) and what it doesn't (which informs the additional controls you need). This subsection gives you the honest, complete picture.
Deliverable: Clear understanding of the five attack types MFA stops, the three attack types MFA does not stop, and the additional controls (conditional access, phishing-resistant methods) that cover the gaps.
Estimated completion: 30 minutes
MFA: WHAT IT STOPS AND WHAT IT DOESN'TMFA STOPS THESE (99.9%)✓ Password spray — common passwords tried across accounts✓ Credential stuffing — breach database passwords reused✓ Basic phishing — user enters password on fake login page✓ Brute force — automated password guessing✓ Keylogger capture — malware records password keystrokesThese are 95%+ of credential attacksin the wild. MFA makes them all fail.Deploy MFA for all users. No exceptions.MFA DOESN'T STOP THESE✗ AiTM proxy — attacker captures session token AFTER MFA✗ Token theft — attacker steals browser cookie or PRT✗ SIM swap — attacker redirects phone-based MFA to their phone✗ MFA fatigue — user approves repeated push out of frustration✗ Consent phishing — user grants OAuth app access (no creds needed)These require: conditional access (device compliance),phishing-resistant MFA (FIDO2), or app consent policiesMFA is necessary. It is not sufficient.

Figure AD1.2 — MFA effectiveness by attack type. MFA eliminates 99.9% of commodity credential attacks (the left column). Advanced attacks that bypass MFA (the right column) require additional controls — conditional access with device compliance, phishing-resistant MFA methods, and application consent policies. This module builds both layers.

The attacks MFA stops cold

Password spraying, credential stuffing, basic phishing, brute force, and keylogger-captured passwords all share one characteristic: the attacker ends up with a valid password but nothing else. MFA requires a second factor — something the user has (their phone, a security key) — that the attacker doesn’t possess. The authentication fails because the attacker can enter the password but can’t complete the MFA challenge.

This covers the overwhelming majority of credential attacks in the wild. Microsoft’s data shows that 99.2% of compromised accounts did not have MFA enabled. When you look at the attacks that succeed against M365 tenants, the pattern is consistent: the attacker had a password (from spraying, stuffing, or phishing) and the account had no MFA requirement. MFA would have stopped every one of these.

The practical implication is stark. If your tenant has accounts without MFA enforcement, those accounts are 99.9% more likely to be compromised than accounts with MFA. Not “slightly more at risk.” Not “somewhat more vulnerable.” Nearly a thousand times more likely. This is why MFA for all users is not a recommendation — it’s a requirement.

The attacks that bypass MFA — and what to do about each

Understanding what MFA doesn’t stop is equally important, because it tells you which additional controls to deploy and prevents the false confidence that comes from treating MFA as complete protection.

Adversary-in-the-middle (AiTM) proxy phishing is the most common MFA bypass in 2025-2026. The attacker sets up a reverse proxy between the user and Microsoft’s real login page. The user authenticates normally — entering their password and completing MFA — but the proxy captures the session token that Microsoft issues after successful authentication. The attacker then replays that token from their own device, bypassing MFA entirely because the token already has MFA satisfaction baked in.

The defense against AiTM is conditional access with device compliance. A conditional access policy that requires a managed/compliant device checks the device identity, not just the user identity. The attacker’s device isn’t enrolled in your Intune tenant, so the conditional access policy blocks the session even though the credentials and MFA were valid. You’ll build this policy in AD1.4.

For organisations with E5 licensing or an Entra ID P2 add-on, phishing-resistant MFA methods (FIDO2 security keys, Windows Hello for Business, certificate-based authentication) provide additional protection. These methods are cryptographically bound to the legitimate login page — a FIDO2 key won’t respond to a proxy page because the domain doesn’t match. For E3 environments, the device compliance conditional access policy is the practical defense.

Token theft occurs when an attacker steals a session token or Primary Refresh Token (PRT) from an already-authenticated device — through malware, browser exploitation, or physical access. The stolen token lets the attacker authenticate as the user without needing the password or MFA. The defense is conditional access with continuous access evaluation (CAE), which re-validates tokens against policy changes in near-real-time, and sign-in risk policies that detect token replay from new locations.

SIM swapping targets phone-based MFA methods (SMS codes, voice calls). The attacker convinces the mobile carrier to transfer the victim’s phone number to a new SIM card, then receives the MFA codes. The defense is using app-based MFA (Microsoft Authenticator) or hardware tokens (FIDO2) instead of SMS/voice. Microsoft Authenticator push notifications with number matching are not vulnerable to SIM swapping because the notification goes to the Authenticator app on the registered device, not to the phone number.

MFA fatigue exploits push-based MFA by triggering repeated push notifications until the user approves one. The defense is number matching — enabled by default since May 2023 — which requires the user to type a number displayed on the sign-in screen into the Authenticator app. Blindly tapping “Approve” doesn’t work because the user must enter the correct number.

Expand for Deeper Context

The AiTM attack is worth understanding in detail because it’s the technique that changed the MFA conversation. Before AiTM toolkits became widely available (2022-2023), MFA was effectively a complete defense against credential-based attacks. The 99.9% figure was accurate and sufficient. AiTM didn’t reduce MFA’s effectiveness against commodity attacks — it created a new class of attack that renders MFA irrelevant for targeted campaigns.

The attacker uses frameworks like EvilGinx, Modlishka, or custom toolkits to create a reverse proxy that sits between the user and Microsoft’s actual login page. From the user’s perspective, everything looks legitimate — they see the real Microsoft login page, enter their real credentials, and complete their real MFA challenge. The proxy relays everything to Microsoft, receives the authenticated session token, and stores it. The user lands on the real M365 portal and continues working normally. They have no indication that anything went wrong.

The attacker now has a fully authenticated session token that they can use from any device, any location. This token typically lasts 1 hour (access token) to 90 days (refresh token). The attacker can use it immediately or hold it for later use. When they use it, the sign-in log shows “MFA satisfied by claim” — meaning the MFA was completed during the original session and the token carries that satisfaction forward. No MFA challenge is triggered on token replay.

This is why conditional access with device compliance matters. The token itself is valid, but the device presenting it is not enrolled in Intune. A conditional access policy that requires a compliant device blocks the attacker’s session regardless of the token’s validity. The attacker would need to compromise both the user’s credentials AND a managed device — a significantly harder attack.

Choosing the right MFA method

Not all MFA methods provide equal protection. Here’s the hierarchy from strongest to most vulnerable, along with the practical considerations for each.

FIDO2 security keys (strongest) are phishing-resistant — they cryptographically verify the domain and won’t respond to proxy pages. They require no phone, no battery, no network connection. The downside is cost ($20-50 per key) and physical distribution. Best for: administrator accounts, high-value targets, shared workstations without phone access.

Windows Hello for Business (strong) uses biometrics (fingerprint, face) or PIN tied to the TPM chip. It’s phishing-resistant and seamless for the user. The downside is it only works on Windows devices with compatible hardware. Best for: organisations with standardised Windows hardware.

Microsoft Authenticator with number matching (good) uses push notifications where the user must type a number displayed on the sign-in screen. Not phishing-resistant (an AiTM proxy passes the number through), but resistant to MFA fatigue and SIM swapping. This is the practical default for most organisations — free, easy to deploy, and effective against 99%+ of attacks. Best for: all users as the baseline method.

Authenticator app TOTP (good) generates a 6-digit time-based code. Requires the user to open the app and type the code. Slightly more friction than push, but works offline and doesn’t require push notification infrastructure. Best for: users with limited connectivity.

SMS/Voice (weakest MFA method) sends a code via text message or phone call. Vulnerable to SIM swapping and SS7 interception. Still vastly better than no MFA, but should be used as a fallback, not the primary method. Best for: users who absolutely cannot use any other method.

For NE’s deployment, the recommendation is: Microsoft Authenticator with number matching as the default for all users, FIDO2 security keys for the Global Administrator accounts and break-glass accounts, and SMS as a fallback method only for users who can’t install the Authenticator app.

Compliance Myth: "SMS-based MFA is not real MFA and shouldn't count"
SMS MFA is weaker than app-based or hardware-based MFA, but it's dramatically better than no MFA at all. An account with SMS MFA is 99.9% less likely to be compromised than an account without any MFA. Dismissing SMS as "not real MFA" creates a false equivalence between SMS MFA and no MFA — which is dangerous because it gives organisations an excuse to delay MFA deployment while they plan the "perfect" rollout with FIDO2 keys. Deploy SMS MFA today if that's what you can do today. Upgrade to Authenticator app next week. Upgrade to FIDO2 for admins next month. Progress beats perfection.

What AiTM looks like in your sign-in logs

When you investigate a potential AiTM attack, here are the specific fields to check in the Entra sign-in log.

Look for a successful sign-in where the “MFA requirement” shows “Satisfied by claim” rather than “Satisfied by MFA on this sign-in.” “Satisfied by claim” means the session token already had MFA baked in — which is normal for returning sessions but suspicious for a first sign-in from a new IP address. An initial sign-in from an unknown IP with “MFA satisfied by claim” is the signature of a replayed AiTM token.

Check the “Device info” tab. If the sign-in shows a device that isn’t enrolled in Intune and the user has a corporate device, the sign-in likely came from the attacker’s machine. Legitimate users signing in from their corporate laptop show a device ID that matches Intune enrollment. Attackers replaying tokens show a device ID that doesn’t exist in your tenant.

Check the “Location” and “IP address” fields. AiTM attacks often originate from VPN exit nodes or cloud hosting providers. IP addresses from AWS, Azure, DigitalOcean, or known VPN services on a first sign-in for a user who normally signs in from your office network warrant investigation.

These are the checks you’ll perform in the 15-minute emergency response procedure (AD1.9). Understanding them now means you’ll recognise the pattern when you see it in production.

Decision point

You’re deploying MFA to NE’s 210 users. The Authenticator app is the primary method. Seven users report they don’t have smartphones — three are manufacturing floor workers using shared workstations, two are senior engineers who refuse to install work apps on personal devices, and two are temporary contractors. How do you handle each group?

Option A: Exempt all seven from MFA until a solution is found.

Option B: Provide FIDO2 security keys for the shared workstation users and senior engineers. Assign temporary access passes for the contractors with a 90-day expiration matching their contract.

Option C: Allow SMS-based MFA as a fallback for all seven.

The correct answer is Option B. Exempting users from MFA creates permanent gaps that attackers will find and exploit. SMS is better than nothing but shouldn’t be the primary method when better alternatives exist. FIDO2 keys solve the smartphone problem completely — they’re small, durable, and require no app installation. For the manufacturing floor workers, a FIDO2 key stays on their keychain or in a drawer at the shared workstation. For the engineers who refuse to install apps, a FIDO2 key attached to their laptop bag requires no personal device involvement. For temporary contractors, a temporary access pass provides time-limited access that expires automatically when their contract ends, and you can issue FIDO2 keys if their contract extends.

Try it: Audit your current MFA methods

Navigate to entra.microsoft.com → Protection → Authentication methods → Activity → Usage. This report shows which MFA methods your users have registered and which they’re actively using.

Check the distribution. If the majority of your users are using “Phone (SMS)” or “Phone (call),” your MFA deployment is functional but using the weakest methods. If the majority are using “Microsoft Authenticator” with push notifications, you’re in a stronger position.

Now navigate to Protection → Authentication methods → Policies. Review which methods are enabled for your tenant. If “SMS” and “Voice call” are enabled, consider whether you can disable them for most users and enable them only as a last resort. The fewer weak methods available, the less likely users will register with them.

For your administrator accounts specifically, navigate to Users → select an admin account → Authentication methods. Verify that admin accounts are using Authenticator app or FIDO2 — never SMS. Admin accounts are the highest-value targets and should always use the strongest available MFA method.

A user reports that they received a Microsoft sign-in notification on their Authenticator app but they weren't trying to sign in. The notification shows number matching and asks them to type "47." What should you advise the user?
Type 47 and approve the sign-in — it's probably a delayed notification from an earlier session — No. Never approve an MFA prompt you didn't initiate. A delayed notification from a legitimate session would have already expired. An unexpected prompt means someone has the user's password and is actively trying to sign in.
Deny the notification and ignore it — it was probably a one-time glitch — Partially correct but incomplete. Denying the notification is the right first step, but ignoring it means you don't investigate how the attacker obtained the password. A single unexpected MFA prompt means the user's password is compromised.
Tell the user to change their password from their current session — Good instinct but not the full response. The user should change their password, but you should also check the sign-in log for the failed MFA attempt, identify the source IP, and determine how the password was compromised (breach database, phishing, weak password).
Tell the user to deny the prompt, immediately reset their password from the admin center, revoke their sessions, and check the sign-in log for the source IP of the attempted sign-in — Correct. An unexpected MFA prompt means the password is compromised right now. The attacker is actively trying to authenticate. Deny + reset + revoke + investigate. The sign-in log will show where the attempt came from and whether any attempts succeeded before the user noticed.
Operational Artifact — MFA Method Selection Guide
Use the MFA method hierarchy when planning your deployment: FIDO2 keys for admin accounts and shared workstations, Authenticator app with number matching for all standard users, SMS only as a last-resort fallback for users who cannot use any other method. Document the method assigned to each user category so your deployment is consistent and you can track coverage. When auditing MFA health, check not just whether MFA is enabled but which method each user is using — 100% MFA adoption with 60% on SMS is weaker than 95% adoption with 95% on Authenticator.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →