Why MFA Alone May Not Protect Your Microsoft 365 Environment
The Assumption Most Businesses Make
Many organisations believe:
“We have MFA enabled, so our accounts are secure.
”This assumption is understandable.
MFA is widely recommended and is often considered the standard for account protection.
Real-world testing shows this is not always true. (Weinert, 2022)
What We Tested
As part of our F11 Evidence-Driven Lab series, we simulated a real-world attack scenario in a Microsoft Entra ID environment.
Can attackers bypass MFA without breaching the system?
What We Found
In our lab, we evaluated a technique called an MFA fatigue attack. (Team, 2025)Here’s how it works:
- An attacker repeatedly attempts to log in.
- The user receives multiple MFA push notifications.
- The user eventually approves one, often by mistake.
The Result
This single approval gives full account access.
No system exploit or advanced hacking required.
No advanced hacking.
A single user action enables the attack.
Why This Matters to Your Business
This type of attack doesn’t rely on technical weaknesses.
It relies on human behavior.
This human factor makes the attack especially dangerous.
Real Business Risks
Relying only on MFA push notifications exposes you to these risks:
An attacker can gain access to:
- Email accounts
- Internal systems
- Cloud applications
1. Financial Fraud
Once inside, attackers can:
- Initiate fraudulent payments
- Modify invoices
- Impersonate executives
This scenario is common in Business Email Compromise (BEC) attacks. (Microsoft Digital Defense Report 2024, n.d.)
2. Data Exposure
Sensitive data may be accessed:
- Client information
- Contracts
- Internal documents
This can lead to:
- Compliance issues
- Legal exposure
- Loss of customer trust
3. Hidden Attacks
From a system perspective:
- MFA shows as “successful.”
- Login appears legitimate
As a result, these attacks can go unnoticed.
The Cost of Getting This Wrong
Organizations impacted by identity-based attacks often face:
- Direct financial losses
- Operational disruption
- Incident response costs
- Reputational damage
A single incident can cost tens or hundreds of thousands of dollars. (2020 Cost of a Data Breach Report, n.d.)
The Hidden Problem
MFA only shows that someone has approved the request.
It does NOT confirm:
- Whether the approval was intentional
- Whether the user was under pressure
- Whether the request was legitimate
What a Stronger Approach Looks Like
To mitigate this risk, organizations should consider the following actions:
Strengthen MFA
- Enable number matching in Microsoft Authenticator.
- Don’t use simple "approve" or "deny" prompts.
Use Risk-Based Access Controls
- Require additional verification for high-risk sign-ins.
- Block suspicious authentication attempts immediately.
Combine Multiple Signals
Modern identity security should take into account the following factors:
- User behavior
- Device trust
- Sign-in risk
Train Users
Users should be trained to:
Never approve unexpected MFA prompts.
Key Takeaway
Recognize that MFA is essential, but take the next step—layer additional protections today.
About This Experiment
This insight is based on:EID-EXP-015 – MFA Fatigue Attack Simulation
Part of the F11 Evidence-Driven Lab series, where we test Microsoft identity security controls in real-world scenarios.
Final Thought
Security is not just about adding controls.
It’s about ensuring those controls:
Function effectively under real-world conditions.
References
Weinert, A. (2022). Defend your users from MFA fatigue attacks. Microsoft Entra Blog. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/defend-your-users-from-mfa-fatigue-attacks/2365677
Team, M. S. (2025). MFA Fatigue Attacks: Exploiting Human Error. Material Security. https://material.security/workspace-resources/why-mfa-fatigue-attacks-slip-past-two-factor-security
(n.d.). Microsoft Digital Defense Report 2024. https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/Exec%20Summary_2024%20Microsoft%20Digital%20Defense%20Report.pdf
(n.d.). 2020 Cost of a Data Breach Report. https://www.ibm.com/think/x-force/whats-new-2020-cost-of-a-data-breach-report