← Blog

Why even MFA isn't bulletproof: the session-theft trick explained

Tenant Strike3 min read

Multi-factor authentication blocks most attacks, but a newer technique gets around it by stealing your logged-in session instead of your password. Here is how it works and why MFA still matters.

Multi-factor authentication is rightly held up as one of the best defenses you can have. It blocks the overwhelming majority of password-based attacks. But "blocks most" isn't "blocks all," and attackers have developed a technique that slips around it. Understanding it isn't a reason to doubt multi-factor authentication — it's a reason to know its limits and add the right backup.

The clever workaround

The attack is sometimes called adversary-in-the-middle. Instead of trying to steal your password and defeat your second step separately, it steals the result of a successful login: your session.

Here's how it plays out. You get a convincing phishing email and click the link. It takes you to what looks exactly like the real Microsoft sign-in page — but it's a fake page sitting in the middle, secretly relaying everything to and from the genuine Microsoft site in real time. You type your password; the fake page passes it through to the real one. Microsoft asks for your multi-factor authentication step; you provide it; the fake page passes that through too. From your side, you logged in successfully and nothing seemed wrong.

But when Microsoft confirms the login, it issues a small token — essentially a "this person is signed in" pass that keeps you from re-entering your password on every click. The attacker in the middle grabs that token. Now they can load it into their own browser and be you, already signed in, without ever needing your password or your multi-factor step again. They didn't beat the second factor; they let you complete it, then stole the pass it produced.

Why this isn't a reason to drop MFA

It's tempting to hear this and think multi-factor authentication is pointless. The opposite is true. The vast majority of attacks — credential stuffing, basic phishing, password spraying — are stopped cold by multi-factor authentication. This session-theft technique is more advanced, more effort, and far less common. Turning off your best, broadest defense because a narrower attack exists would be a serious mistake.

The lesson is that no single control is complete, and the strongest setups layer a few.

How to defend against session theft

A handful of measures specifically blunt this technique:

  1. Phishing-resistant multi-factor authentication. Hardware security keys and passkeys are designed so they only work on the genuine site — they won't hand over anything to a look-alike page in the middle. For your highest-value accounts, especially administrators, these defeat this attack directly.
  2. Don't reach login pages through links. The attack depends on getting you to a fake page. If you reach Microsoft 365 by typing the address yourself or using a saved bookmark, the middle page never gets its chance. Train the habit: never log in via a link in an email.
  3. Conditional access rules. Your Microsoft 365 can require that sign-ins come from a known device or a managed setup, which makes a stolen token far less useful to an attacker on their own machine.
  4. Watch for impossible sessions. Tools that flag a login from a strange location moments after a normal one can catch a hijacked session and shut it down.

The everyday version for your team is simple: even though you have multi-factor authentication, still don't click login links in emails, and still treat unexpected sign-in pages with suspicion. Multi-factor authentication is the seatbelt, not a reason to stop watching the road.

This is a good example of why "we turned multi-factor authentication on" is the start of the conversation, not the end. The configuration around it — which methods are allowed, whether the strongest options protect your admins, whether sign-ins are tied to known devices — is what determines how resistant you really are. Tenant Strike reads those Microsoft 365 settings in five minutes and shows, in plain English, where your defenses are solid and where a more advanced attack could still find room.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.