How attackers are bypassing MFA using AI in 2026

For the better part of a decade, multi-factor authentication has been the security industry's universal recommendation. Enable MFA everywhere. It blocks 99% of automated attacks. It is the single most impactful thing you can do to protect your accounts.

That advice was correct. It still is, mostly. But the threat landscape has shifted underneath it, and a dangerous gap has opened between what MFA actually protects against and what many organizations believe it protects against. According to Cisco Talos, nearly half of all security incidents their team responded to in early 2024 involved MFA weaknesses, from users approving fraudulent push notifications to attackers stealing authenticated sessions in real time.

Attackers are no longer trying to guess your password or brute-force your second factor. They are stealing your entire authenticated session, password, MFA token, and session cookie, in real time, while you watch your login succeed. And the tools to do this are now available as subscription services, priced lower than most business software.

The session is the new target

The most significant shift in how attackers defeat MFA is the rise of Adversary-in-the-Middle (AiTM) attacks. The concept is straightforward: instead of building a fake login page that captures your password and replays it later, the attacker places an invisible proxy between you and the real website.

You see the actual Microsoft or Google login page. You enter your real password. You complete the real MFA challenge on your phone. Everything works exactly as expected. But every interaction is being relayed through attacker-controlled infrastructure. The moment the legitimate site issues a session cookie, the attacker captures it and can use it to access the account as if they were the authenticated user, without needing to re-authenticate.

This is not a theoretical attack. Microsoft reported over 10,000 AiTM attacks per month targeting its users in 2024. By mid-2025, a single phishing-as-a-service platform called Tycoon 2FA accounted for roughly 62% of the phishing volume Microsoft blocked, including more than 30 million fraudulent emails in a single month. In early 2026, Microsoft, Europol, and partners dismantled the Tycoon 2FA network, but similar platforms continue to operate.

The economics tell the story. These are not bespoke tools built by nation-state hackers. They are commercial products sold on Telegram, with customer support and subscription pricing. Kits like EvilProxy, Tycoon 2FA, BlackForce, and others offer real-time MFA bypass as a feature, not a bug. Some cost as little as $200 to $300. For that price, an attacker with no technical skill can run a campaign that defeats the MFA protecting your corporate email.

AI supercharges every stage of the attack

What makes 2026 different from even two years ago is how AI has amplified the effectiveness of these attacks at every stage of the kill chain.

• ‍Reconnaissance is automated. Before launching a phishing campaign, attackers need to know who works at a company, what their responsibilities are, who they report to, and what systems they use. AI tools now scrape LinkedIn, company websites, and previously breached data to build detailed target profiles in seconds. What used to require hours of manual research happens automatically.‍
• The lures are nearly perfect. Generative AI has solved the attacker's classic tradeoff between scale and quality. Previously, a convincing spear-phishing email took time to craft. Now, LLMs generate thousands of unique, hyper-personalized emails in minutes, with perfect grammar, context-appropriate urgency, and references to real projects, real colleagues, and real vendors. Research shows that 60% of recipients fall for AI-generated phishing emails, with click-through rates reaching 54% compared to just 12% for traditional phishing.‍
• Voice phishing scales with deepfakes. CrowdStrike observed a 442% increase in voice phishing (vishing) between early and late 2024. AI-generated voice clones can now mimic a specific person from just a few seconds of sample audio. Attackers call employees posing as IT support, walk them through a "security verification" on a phishing site, and capture their credentials and MFA tokens in real time. Okta published a threat advisory in early 2026 describing exactly this pattern: custom phishing kits designed to support live, caller-led attacks where the attacker controls what the victim sees in their browser while talking them through each step.‍
• MFA fatigue gets smarter. The classic MFA fatigue attack, where an attacker who already has a password floods the victim's phone with push notifications hoping they will approve one out of frustration, was crude but effective. AI makes it more targeted. Attackers can now analyze when users are most likely to approve prompts without thinking and time their attacks accordingly.

Even phishing-resistant MFA is under pressure

The industry's response to AiTM attacks has been to push organizations toward phishing-resistant authentication: FIDO2 security keys and passkeys that use public-key cryptography bound to the legitimate service's domain. If there is a proxy in between, the cryptographic verification fails and access is denied. This is a meaningful upgrade and the right direction.

But attackers are already adapting.

The most common technique is the MFA downgrade attack. Most organizations that deploy passkeys or security keys still maintain fallback authentication methods: SMS codes, authenticator apps, or password reset flows. Attackers exploit this by manipulating the login flow to force the system to offer a less secure method. If a user can reset their passkey by answering security questions or receiving an SMS code, the entire phishing-resistant chain is only as strong as its weakest fallback.

In mid-2025, a campaign dubbed PoisonSeed demonstrated an even more direct approach: attackers bypassed FIDO security keys at scale by exploiting the QR-code cross-device authentication fallback that many passkey implementations support. Users were presented with a spoofed QR code, scanned it with their device, and unknowingly handed over a valid FIDO assertion. Microsoft and Okta both issued emergency guidance recommending that organizations disable the QR fallback feature.

And there is a category of attack that phishing-resistant MFA cannot address at all: consent phishing. Instead of stealing credentials, attackers trick users into granting OAuth permissions to malicious applications through legitimate consent screens. Once a victim grants OAuth consent, the attacker receives access tokens that function independently of any authentication mechanism. Password resets do not revoke them. MFA does not protect the authorization layer. The tokens persist until someone notices and explicitly revokes them, which can take months.

The gap between deployment and protection

The uncomfortable reality for security teams is that deploying MFA is no longer the finish line. It is a necessary baseline that provides meaningful protection against automated credential stuffing, brute force, and basic phishing. But against the current generation of attacks, the type of MFA and how it is configured matter far more than whether MFA is enabled.

Here is where the gaps typically appear:

• ‍Legacy fallbacks remain enabled. Organizations deploy FIDO2 for primary authentication but keep SMS codes or push notifications as backup options. Attackers find and target these fallback mechanisms. Every legacy method that remains active is an exploitable downgrade path.
• Session management is an afterthought. MFA protects the authentication event but not the session that follows. If a session token can be stolen via AiTM and replayed from a different IP address and device without triggering re-authentication, the MFA was theater. Continuous session validation, including device binding, IP anomaly detection, and token lifetime limits, is where the real protection happens.‍
• OAuth governance is missing. Most organizations have no visibility into which third-party applications their users have granted OAuth consent to, what permissions those applications hold, or whether any of them are malicious. The authorization layer operates independently of authentication controls, and it is largely ungoverned.‍
• Training has not kept up. Security awareness programs still teach employees to look for misspelled words and suspicious sender addresses. In 2026, AI-generated phishing emails have perfect grammar, come from compromised legitimate accounts, and reference real internal context. The old heuristics no longer work. Training needs to shift from "spot the bad email" to "verify unusual requests through a separate channel, every time."

What to do now

None of this means MFA is pointless. It remains one of the most effective security controls available and should be enabled everywhere. But the conversation needs to move beyond "enable MFA" to "implement MFA correctly and complement it with layered defenses."

• ‍Migrate to phishing-resistant methods. Deploy FIDO2 security keys or passkeys for privileged accounts first, then expand to all users. Start with admin accounts, finance, and anyone with access to sensitive systems. This is not a future consideration. The attack tooling is already commoditized.‍
• Eliminate all legacy fallbacks. Once phishing-resistant MFA is deployed, remove SMS, push notifications, and password-only recovery paths. A passkey deployment with an SMS fallback is not phishing-resistant. The fallback is the vulnerability.‍
• Invest in session-layer security. Implement continuous access evaluation that monitors sessions after authentication. Bind sessions to devices. Flag and terminate sessions that show anomalous behavior, like a session cookie appearing from a new IP address or geography immediately after authentication.‍
• Govern your OAuth surface. Audit which applications have OAuth consent from your users. Restrict user consent for high-risk permissions. Implement application review workflows. Monitor what applications actually do with their permissions, not just what permissions they requested.‍
• Shorten token lifetimes. Long-lived tokens are a gift to attackers. Reduce access token expiration, enforce refresh token rotation, and implement mechanisms to revoke tokens when risk conditions change.

The arms race between attackers and defenders is not new. What is new is the speed at which attacks are becoming cheaper, more automated, and more effective. The tools that bypass MFA today are not research prototypes. They are commercial products with user interfaces and documentation. The organizations that treat MFA as a static checkbox will keep getting caught off guard. The ones that treat it as one layer in an evolving defense, one that needs continuous tuning, will be far better positioned.

MFA is not dead. But the version of MFA that most organizations are running is no longer enough.