Think You’re Protected with MFA? Man in the Middle Attacks bypass MFA!

17.07.2025
A bank of computer screens against a blue sky shows the face of a masked hacker to denote cyber threat and hacking

You’ve probably heard that multi-factor authentication (MFA) — like approving a code on your phone — is the best way to keep your online accounts safe.

That used to be true… but cybercriminals are starting to make greater use of a trick that can bypass MFA entirely — and most people don’t even see it coming.   

These attacks are on the rise - they intercept real-time logins and enable the attacker to bypass MFA. They're called 'Man in the Middle (MitM) attacks, and EvilProxy attacks are just one example we've chosen to highlight.  

 

What's an EvilProxy attack?  (The simple explanation)

Imagine you're logging in to your Microsoft 365 email or Teams account. You get what looks like a normal login page (perhaps after you follow a link from a “Microsoft” warning email) — same branding, same Microsoft logo, everything.

 

✅You enter your email.

✅You type in your password.

✅You even approve the code on your phone.

Everything seems fine.  But everything just went very wrong.

❌That wasn’t the real Microsoft login page.  It was a perfect fake, built by a cybercriminal.

❌Behind the scenes, the fake page quietly forwards your details to Microsoft in real time, tricking Microsoft into thinking you are logging in.

❌Once you’re logged in, the attacker hijacks the digital “key” to your session — something called a session token.

❌This key lets them get into your account without needing your password or MFA ever again.

It’s like handing a criminal a guest pass to your digital office — and they can use it as long as they want, from anywhere in the world.

 

Why It's So Dangerous:

It works even if you’ve got MFA.

You won’t even realise it’s happened — it feels like a normal login.

The attacker can access your email, files, and Teams messages.

They can reset passwords or set up backdoors, making it very hard to kick them out as they’ve given themselves access via other routes.

This isn’t theory — it’s happening right now, across businesses large and small. 

 

So...  What Can Be Done?

Here’s the good news: you can absolutely defend against this kind of attack. But it takes more than just turning on MFA.

Here’s what your organisation can do (and what we help with):

1. Use phishing-proof login methods

We recommend security keys or passkeys, which can’t be faked or stolen by these kinds of attacks. 

2. Lock down access to trusted devices only

For example, Microsoft 365 can be configured so it only allows logins from company-approved computers or phones. So even if someone steals your login session, it won’t work unless they’re using your company device.  Moving your users to Microsoft Business Premium licences, with the right configurations set up is a key action.

3. Detect and block suspicious activity

Networks can be monitored for login locations, devices, and unusual patterns. If something doesn’t look right — like a login from a country you’ve never been to — it can be automatically blocked or raise an alert.

4. Limit admin access

We make sure sensitive admin accounts aren’t left signed in, and only work when they’re needed — with extra security layers.

5. Run regular training and phishing simulations

Ongoing training can help your team spot fake login pages and dodgy emails before they click.  Human awareness is still a key first line of defence. For example, is your team aware that hackers can even create appointments in your calendar that contain phishing links or attachments?


The Bottom Line

This isn’t just a theoretical risk. Cyber threats are evolving fast — but so are the tools we use to stop them. If you’re relying on passwords and MFA alone, your business is at risk of session-stealing attacks like EvilProxy and other MitM attacks.

By investing in comprehensive tools and security awareness training, you can help ensure that your team is ready to defend against the next attack.

If you'd like to upgrade your service plan to include enhanced Cybersecurity protection or simply like some free, impartial advice about making sure that your systems and your team is ready please book a no-obligation appointment or call us on 03300 886 116.