Your MFA Is Probably Bypassable. Here's What Actually Stops the Attack.

It probably isn't.

Last week, Microsoft published findings on a credential-theft campaign that compromised about thirty-five thousand users across twenty-six countries. Every one of those accounts had MFA turned on. The attackers got in anyway, by sitting in the middle of the login process and capturing the session right after the user typed their code. The technical name is attacker-in-the-middle. The practical name is the version of MFA you turned on doesn't stop this.

Here's the part most security articles skip: there are different kinds of MFA, and only one of them actually stops the attack we're talking about.

The kinds that get bypassed:

• A code texted to your phone (SMS)
• A code from an authenticator app (TOTP)
• A push notification asking you to approve sign-in
  

The kind that doesn't:

• A physical security key (FIDO2 hardware token)
• A passkey tied to your device biometrics

The difference is that the bypassable kinds rely on the user typing or tapping something the attacker can capture. The kind that works binds the login to the specific device and domain — so if the login is happening through a fake site, the security key just refuses to authenticate. There's nothing to phish.

This matters more for small and mid-sized businesses than for enterprises, and the data shows it. Gartner's most recent figures peg enterprise MFA adoption around eighty-five percent. SMB adoption is around twenty-five percent. The math is bleak: three out of four small businesses don't have any MFA, and most of the one out of four that do have it are using the bypassable kind.

If you're an SMB owner reading this, here's what to do this week:

1. If you don't have MFA on email, banking, and any system that holds customer data, stop reading and turn it on. Even the bypassable kind is dramatically better than nothing. The attacker-in-the-middle campaigns require active targeting; opportunistic credential-theft from password reuse hits everybody. Don't let perfect be the enemy of good. 
2. If you do have MFA, find out what kind. If it's a text message or an authenticator app code, you have step one. There's a step two and you should plan for it.
3. For step two, look at FIDO2 security keys or passkeys for your high-value accounts. Microsoft, Google, and Apple all support passkeys natively now. A YubiKey runs about fifty dollars. For the accounts that would hurt the most to lose — your email, your bank, your payroll, your customer data systems — that's a small investment for a large amount of "this attack does not work on us."
4. *Train your people on what won't stop the attack.* Most people think any MFA prompt means they're safe. The Microsoft campaign worked because users approved push notifications during a fake login they didn't realize was fake. If your training stops at "click yes when the prompt comes up," your training is part of the attack surface.
   

The truth about MFA in 2026 is that the conversation has moved on, and most SMBs haven't been told. Step one was getting any MFA at all. Step two is getting the kind that the latest attacks can't bypass. The good news is step two costs less than a single hour of incident response.

Don't confuse having MFA with being safe. Find out what kind you have. Upgrade the accounts that matter.

─────────────────────────────────────────────────────

Aaron Gobreski is an Information Security Analyst at NexusTek. NexusTek is a CMMC L2-certified managed service provider serving small and mid-sized businesses across the United States.

Questions about your organization's MFA posture? Contact us here: https://www.nexustek.com/contact-us