How LAPSUS$ Bypassed MFA and How to Prevent Similar Identity Attacks

LAPSUS$-linked breaches did not break multi-factor authentication (MFA) cryptographically. Attackers obtained valid authentication outcomes through techniques commonly described as MFA fatigue attacks or MFA bypass attacks, including push-prompt abuse, SIM swapping, social engineering, and session token replay.

Understanding how these attacks succeed helps explain where modern identity defenses must evolve.

What Is a LAPSUS$-Style MFA Bypass?

A LAPSUS$-style MFA bypass occurs when authentication factors are technically validated but attackers obtain access by manipulating identity signals before or during authentication.

Rather than defeating encryption, these attacks exploit weaknesses in identity trust, such as credential harvesting, repeated MFA prompts, telecom account hijacking, or session token theft. The result is a login that appears legitimate even though the identity journey leading to it was compromised.

What Is an MFA Fatigue Attack?

An MFA fatigue attack, sometimes called push bombing, occurs when an attacker repeatedly triggers authentication prompts until a user approves one.

The attacker already possesses valid credentials. Their objective is to overwhelm or pressure the victim into confirming a login attempt.

This technique exploits:

• Human approval behavior

• Notification overload

• Limited approval context

• Weak identity validation before authentication

It does not require breaking MFA encryption.

How Did LAPSUS$ Obtain Authenticated Access?

Public incident reports reveal consistent patterns in how attackers associated with LAPSUS$ obtained access.

Uber (2022)

Uber reported that an external contractor’s account was compromised after repeated MFA prompts were triggered. (Uber security update) The attacker repeatedly attempted login, generating multiple two-factor authentication requests. After repeated login attempts generated multiple MFA prompts, the contractor eventually approved one request., allowing the attacker to sign in.

MFA functioned as designed, and the resulting authentication was technically valid.

Okta (2022)

Okta disclosed that an attacker gained temporary access to a customer support engineer’s laptop at a third-party provider (Okta’s investigation of the January 2022 compromise). Okta noted that support engineers could assist with password and MFA resets but could not access customer passwords or download customer databases.

The incident involved manipulation of identity workflows rather than a failure of authentication technology.

Microsoft DEV-0537 Analysis

Microsoft’s investigation into the DEV-0537 threat actor documented several recurring techniques (Microsoft Threat Intelligence Report):

• “Simple-approval” MFA prompt abuse

• Session token replay

• Use or purchase of stolen credentials and tokens

In each case, authentication mechanisms validated the factors presented while attackers exploited trust assumptions surrounding them.

Why MFA Was Not the Root Failure

MFA validates authentication factors presented during login. It does not confirm whether the identity journey leading to authentication was legitimate.

For example, in reverse-proxy phishing attacks:

1. A victim enters credentials on a cloned login page.

2. The attacker relays those credentials to the legitimate service in real time.

3. The victim completes MFA.

4. The attacker captures the authenticated session token.

Authentication succeeds because the factors are valid, even though the session originated from a manipulated identity interaction.

Security reviews have also highlighted the risk of SMS-based MFA under SIM swapping scenarios, where attackers intercept one-time passcodes by porting phone numbers.

The challenge is not encryption itself but the exposure and manipulation of identity before authentication occurs.

The Identity Blind Spot Before Authentication

Most security controls evaluate risk during or after login:

• Impossible travel alerts

• Privilege escalation detection

• Session anomaly monitoring

However, many identity attacks succeed earlier in the attack chain.

This exposure phase can include activity such as:

• Lookalike domains and spoofed login pages

• Website cloning attempts

• Traffic arriving from suspicious or low-reputation domains

• Developer tools activity used to inspect or replicate login pages

• Credential harvesting on impersonation assets

When attackers succeed during exposure, MFA can end up validating a login that has already been compromised.

This is the stage where many account takeover attacks begin, long before traditional fraud or SOC controls detect suspicious activity.

Attack Techniques vs Required Control Layers

The table below summarizes how LAPSUS$-style identity attacks exploit gaps before authentication trust is fully established.

Defending against these techniques requires detecting identity manipulation before authentication trust is granted and identifying abnormal session behavior when attackers reuse valid authentication outcomes.

How to Prevent MFA Fatigue and Other MFA Bypass Attacks

Security teams can reduce risk by extending identity visibility earlier in the attack lifecycle.

Detect Impersonation Infrastructure Early

Website cloning detection and spoofed domain detection help identify fake login pages before credentials are harvested.

Core website protections, including detection of suspicious hostnames and low-reputation referrals, reduce silent exposure.

SEO poisoning defense can also prevent fraudulent domains from appearing in search results.

Monitor Suspicious Login Patterns

Suspicious login pattern detection identifies abnormal approval behavior, including repeated authentication prompts or correlated login attempts.

Unknown device login detection flags access attempts originating from previously unseen devices after phishing exposure.

These signals help detect approval abuse before escalation.

Validate Device and Location Continuity

Geo-location based anomaly detection identifies impossible travel scenarios or remote account takeover attempts.

Device continuity monitoring ensures that newly interacting devices receive appropriate scrutiny when accessing sensitive accounts.

Use Decoy Credentials to Detect Harvesting

Decoy credential injection replaces credentials entered on phishing sites with traceable decoy data.

If attackers attempt to reuse those credentials, detection occurs immediately. This transforms credential theft from a silent compromise into observable activity.

Warn Users When They Reach Spoofed Sites

Real-time phishing site warnings notify users when they land on detected spoofed domains.

This reduces successful credential harvesting and lowers the likelihood of MFA prompt abuse.

Close the Identity Blind Spot Before Login

MFA validates authentication factors but does not verify whether the identity journey leading to authentication was legitimate.

Memcyco extends protection into the stage attackers rely on most: the period between impersonation and authentication.

Security teams use Memcyco to:

• Detect website cloning attempts in real time

• Identify traffic from suspicious or low-reputation domains

• Correlate suspicious login patterns before escalation

• Detect stolen or decoyed credentials in use

• Warn users when interacting with spoofed domains

If your defenses begin at the login prompt, a significant portion of the attack lifecycle may remain invisible.

Schedule a product demo and discover why global enterprises choose Memcyco over alternatives.

FAQs

What is an MFA fatigue attack?

An MFA fatigue attack involves sending repeated authentication prompts until a user approves one. The attack exploits user behavior rather than breaking authentication cryptography.

How did LAPSUS$ bypass MFA?

LAPSUS$-linked incidents involved credential compromise, MFA prompt abuse, session token replay, and social engineering. Authentication factors were validated, but the identity processes surrounding them were manipulated.

Can MFA stop reverse-proxy phishing attacks?

No. In reverse-proxy attacks, credentials and MFA responses can be relayed in real time, allowing attackers to capture session tokens even when MFA is enabled.

Is SMS-based MFA secure?

SMS-based MFA can be vulnerable to SIM swapping, where attackers transfer a phone number to a different device and intercept authentication codes.

What is the most effective way to prevent MFA bypass attacks?

The most effective strategy combines impersonation infrastructure detection, suspicious login pattern detection, device continuity validation, decoy credential detection, and real-time phishing site warnings before authentication trust is granted.

Julian Agudelo

Head of Content Marketing