If you’ve rolled out multi-factor authentication (MFA) and enforced it across your accounts, then you checked one of the most important boxes in cybersecurity (if you haven’t, then you should do so as soon as possible). However, attackers are known for constantly evolving their tactics, and they’ve found ways to work around MFA.
This article explains why MFA alone leaves blind spots that attackers routinely exploit, and what a newer layer of defense called Identity Threat Detection and Response (ITDR) does to close those gaps.
How Attackers Get Past MFA Without Breaking It
MFA works, and it significantly improves account security. According to a large-scale Microsoft study from 2023, over 99.99% of MFA-enabled accounts remained secure during the investigation period.
The problem is that real-world MFA implementations are designed to balance security with convenience. When you log into Microsoft 365, for example, your browser receives a session token that proves you’ve already authenticated. That token keeps you logged in so you’re not completing MFA every time you open an email or switch between apps.
It’s a practical tradeoff, but it also means that from that point forward, everything you do relies on that token, not on your password or MFA code. If someone steals it, they don’t need either.
That is exactly what’s happening at scale. Microsoft’s identity team reported a 111% year-over-year increase in token theft attacks, with roughly 39,000 incidents occurring daily. There are several different types of token theft attacks, with the main ones being:
- Adversary-in-the-middle (AiTM) phishing: The attacker sets up a reverse proxy between you and a legitimate login page (say, your real Microsoft 365 portal). You see the actual login screen, enter your credentials, complete MFA normally, and get logged in. But the proxy sitting in the middle silently captures the session token that gets issued afterward. The attacker now has a fully authenticated session they can replay from anywhere. Toolkits like EvilProxy and Tycoon 2FA have turned this into a commodity service, and Lab539 reported that over 1,000 domains per month now host AiTM infrastructure.
- MFA fatigue attacks: An attacker who already has your stolen password (purchased from an access broker or harvested by infostealer malware) tries to log in repeatedly, flooding your phone with push notifications until you approve one out of frustration. This is how Uber was breached in 2022. An 18-year-old affiliated with Lapsus$ (an international group of hackers) bombarded a contractor with push notifications for over an hour, then posed as Uber IT on WhatsApp and told them to accept. They did. The attacker then got access to internal systems including Slack, AWS, and financial tools.
- Help desk social engineering: Attackers identify employees on LinkedIn, call the IT help desk pretending to be that person, and request an MFA reset or new device enrollment. The MGM Resorts breach in September 2023, for example, started with a 10-minute phone call to the help desk. Attackers got MFA reset for a super administrator account in Okta, then configured an unauthorized identity provider. The result was over $100 million in losses.
- OAuth and consent abuse: Instead of stealing your session, the attacker tricks you into granting a malicious app permission to access your data. Once you click “Allow,” the app gets its own token with whatever permissions you consented to. Microsoft’s own documentation says that resetting passwords or requiring MFA “aren’t effective against this type of attack” because the malicious app operates independently of your account credentials.
Across all these examples of token theft attacks, MFA worked exactly as intended, and the user was authenticated only after providing another authentication factor in addition to their password.
However, MFA is a static checkpoint. To be protected against token theft attacks, organizations need a surveillance system that watches what happens after authentication and can detect when a session token is being replayed from an unfamiliar device, when an account starts behaving in ways that don’t match its normal patterns, or when a malicious app is quietly siphoning data through a consent grant that no one reviewed. Identity Threat Detection and Response was built to fill exactly this gap.
Download
CMMC Prerequisite Checklist
What Identity Threat Detection and Response (ITDR) Does That MFA Can’t
Identity Threat Detection and Response (ITDR) is a category of security tools and practices designed to detect, investigate, and respond to threats that target identity systems in real time.
You can think of ITDR as a tireless detective that operates around the clock, always watching those who have been authenticated to spot any suspicious behavior.
More specifically, ITDR builds a profile of how each user normally behaves, such as when they log in, from where, what devices they use, which applications they access. ITDR watches for privilege escalation, lateral movement between systems, unusual access requests, and rogue application installations. For example, when a user grants a malicious OAuth app access to their mailbox or files, ITDR can detect that the grant happened, evaluate whether the app is known or suspicious, and automatically revoke the permission before data is exfiltrated.
Consider the above-described MGM breach again. Here’s what happened:
- A privileged account suddenly enrolling a new MFA device.
- Followed by login activity from an unfamiliar location.
- Followed by the creation of an unauthorized identity provider.
Each step on its own might look routine. But if ITDR were in place, it would have noticed that the steps form a very suspicious pattern and acted accordingly to stop the attack from escalating (the specific response depends on configuration).
Again, ITDR does not replace MFA. The two serve different purposes at different stages. MFA reduces the odds of unauthorized access at the front door. ITDR catches what gets past it and responds before an attacker can do real damage.
What to Look for in ITDR (and What You Might Already Have)
ITDR is still a relatively new category (Gartner introduced the term in 2022). As such, there’s no single agreed-upon product checklist, and vendors package ITDR capabilities in different ways. That said, based on how attackers actually operate (as covered above), there are a few features that matter most:
- Real-time sign-in risk assessment to evaluate every authentication attempt against behavioral signals (location, device, IP reputation, and so on).
- Post-authentication monitoring that watches for things like lateral movement between systems, privilege escalation, unusual data access patterns, and directory changes.
- Consent and app permission controls capable of revoking permissions when they are granted to suspicious or unknown applications.
- Automated response involving blocking access, revoking tokens, terminating sessions, or quarantining accounts before a human analyst even sees the alert.
- Support for hybrid identity environments that combine cloud identity (like Entra ID) and on-premises Active Directory accounts.
The good news is that organizations already running Microsoft 365 may have access to most of these capabilities without buying anything new because Microsoft has built a substantial ITDR stack into its platform over the past few years, spread across several products.
Microsoft’s primary identity threat detection engine is Entra ID Protection, which evaluates every sign-in against behavioral signals and flags risks like impossible travel, anonymous IP usage, password spray patterns, AiTM phishing indicators, and anomalous token behavior. It also monitors for leaked credentials, so if your employees’ passwords appear in a known credential dump, it can force a password change before an attacker uses them.
On top of that, Microsoft Defender for Cloud Apps adds visibility into how cloud applications are actually being used after login. It can detect suspicious OAuth apps, flag unusual data access patterns, and automatically revoke tokens or permissions when something looks off.
For organizations with hybrid environments, Defender for Identity monitors on-premises Active Directory by installing sensors directly on domain controllers to watch for reconnaissance, Kerberos abuse, lateral movement, and credential theft techniques like DCSync and Golden Ticket attacks.
When used together, these ITDR solutions from Microsoft provide effective protection across the entire identity lifecycle, from initial sign-in to post-authentication activity and privilege use.
Conclusion
MFA remains one of the most effective defenses in cybersecurity, but attackers have shifted their focus to what happens after MFA has done its job. That’s why organizations of all sizes should take stock of what ITDR capabilities they already have access to and make sure those features are actually configured and turned on. When the necessary capabilities are lacking, they should be addressed as soon as possible, whether through a license upgrade or a third-party solution.
If you’re not sure where you stand, we at OSIbeyond can help. We work with small and medium-sized organizations that are either already running Microsoft 365 or planning to move there. We can evaluate your current identity security posture, identify gaps in how your existing tools are configured, and implement the controls needed to detect and respond to modern identity-based attacks. Schedule a meeting with our team to get started.