Upcoming Webinar: Stop Chasing Alerts – Automating Email Security with Behavioral AI
On July 8, 2026, BleepingComputer will host a critical webinar titled "Stop chasing alerts: Automating email security with behavioral AI." This session will feature insights from Dan Nickolaisen, Solutions Architect Manager at Abnormal AI, and Eric Danneker, Director of Cyber Vigilance and Defense at Novant Health. They will dissect how modern attackers bypass traditional multi-factor authentication (MFA) and credential theft protections by exploiting legitimate authorization processes, and how defenders can respond effectively. This discussion is crucial for understanding the evolving threat of MFA bypass techniques.
The Attack That Doesn't Steal Your Password: Understanding MFA Bypass
Device Code phishing is a stark example of how modern attacks have evolved beyond simple password theft. This technique effectively bypasses MFA by tricking users into authorizing access through legitimate Microsoft authentication pages. The user logs in, completes their MFA challenge, and everything appears normal. However, the attacker walks away with persistent access tokens.
This is not a theoretical vulnerability. Real-world incidents, observed in campaigns leveraging techniques like MITRE ATT&CK T1566.002 (Phishing: Spearphishing Link) to initiate the attack chain, confirm its efficacy, granting attackers persistent access to corporate accounts, often evading traditional defenses. This highlights a crucial point: security strategies focused only on credential theft or direct MFA bypasses often miss a significant attack vector.
How Device Code Phishing Works to Bypass MFA
The attack chain unfolds in distinct stages, each leveraging legitimate system functionality:
Initial Lure: The Phishing Email
The attacker sends a phishing email, often impersonating a legitimate service or notification. Crucially, this email does not request credentials directly. Instead, it directs the user to a page displaying a unique device code.
User Interaction: The Device Code
The user is instructed to navigate to a legitimate Microsoft URL, such as microsoft.com/devicelogin, and enter the provided code. This interaction occurs entirely on a trusted Microsoft domain, lending an air of legitimacy to the process.
Legitimate Login: MFA Challenge Completed
After entering the code, the user is prompted to log in with their corporate credentials and complete their multi-factor authentication challenge. This mirrors a standard, legitimate login process, making it difficult for the user to discern any malicious intent.
Token Acquisition: Persistent Access Granted
Because the user completes a legitimate login and MFA challenge, the attacker—who initiated the device code flow—receives an access token. This token grants persistent access to the user's account and associated resources, all without ever stealing the user's password. This is a clear example of how attackers can bypass MFA without ever compromising credentials.
The system functions as designed for the user, but the legitimate flow is subverted to grant access to a malicious actor. Because of this operational nuance, traditional email security, credential monitoring, and even MFA protections often fail to flag these events as malicious. Technically, the authentication sequence was valid, which is why it often goes undetected. This method represents a sophisticated MFA bypass that traditional systems struggle to identify.
The Real Impact: Beyond the Technical MFA Bypass
The operational impact is substantial. An attacker with this access gains persistent control over the compromised user's account within their organization's tenant. The consequence extends beyond data exfiltration, encompassing full account takeover, Business Email Compromise (BEC), and lateral movement within the organization. This successful MFA bypass leads directly to severe organizational risk.
This attack vector also exploits human behavioral patterns, particularly the frequently observed user frustration with MFA fatigue. Constant push notifications desensitize users. A Device Code phishing attack requires only one successful interaction where the user believes they are logging into a legitimate service. It's widely agreed that relying solely on user education isn't enough when attackers exploit trusted workflows to bypass MFA.
This presents significant challenges for SOC and incident response teams. Alerts from traditional systems may not trigger, or they become obscured within a flood of legitimate activity. This complicates early detection and extends response times.
What We Do Next: Beyond Traditional MFA to Prevent MFA Bypass
To counter this, we must move beyond traditional MFA and credential monitoring as standalone defenses. New strategies are needed to detect and prevent sophisticated MFA bypass techniques.
Behavioral AI platforms, such as Abnormal AI, can offer an important detection layer. These systems identify unusual account activities and suspicious communications that conventional security controls miss. The focus shifts from detecting stolen credentials to identifying anomalous behavior *after* a seemingly legitimate login, which is crucial for detecting MFA bypasses effectively and preventing further compromise. This approach helps identify when an attacker has managed to bypass MFA and gained access.
They break the chain where an attacker can intercept a token or trick a user into approving a push. While large-scale adoption presents practical challenges, the security benefit is immense.
The threat landscape has clearly shifted. Attackers are sophisticated and no longer rely solely on brute-force password cracks. They often target the easiest vulnerabilities, which frequently involves exploiting the legitimate processes we rely on daily.
Viewing MFA as a one-time setup is a significant vulnerability. While a key layer, it is not a singular defense. We must implement defenses that understand the nuances of modern attacks, that can spot subtle behavioral shifts, and that do not rely solely on a user's perfect judgment under pressure. Ultimately, defending against these attacks means combining smarter detection with truly phishing-resistant authentication methods.
