By Mackenzie Gryder, with Ben Taylor
This blog is part of Gate 15’s Summer of Security: Ransomware Resilience Series, highlighting the essential considerations for organizational leaders and cybersecurity professionals.
Introduction:
Multi-Factor Authentication (MFA) is one of the simplest and most effective tools to stop attackers from walking through your digital front door. Implementing MFA across all systems reduces the risk of unauthorized access, making it more difficult for attackers to gain control of sensitive accounts. It’s a simple yet highly effective defense against credential-based attacks often used in ransomware incidents. Before we go further, it’s important to review the various types of MFA solutions.
Types of multi-factor authentication:
Least Secure Types of MFA:
- SMS-Based MFA:
- How it works: Sends a one-time code to your phone via message.
- Pros: Convenient and widely supported.
- Email-Based MFA:
- How it works: Sends a one-time code to your email account.
- Pros: Easy to implement, often used as a backup.
More Secure Types of MFA:
- Authenticator App (TOTP):
- How it works: Generates a time-based one-time passcode using apps like Google Authenticator, Authy, or 1Password
- Pros: Doesn’t rely on cellular networks, resistant to SIM swaps.
- Push Notification-Based MFA:
- How it works: Sends a prompt to your trusted device to approve or deny login attempts.
- Pros: Fast, convenient, reduces the risk of mistyping codes.
- Biometric MFA:
- How it works: Uses fingerprints, facial recognition, or iris scans.
- Pros: Relies on something you are, making difficult to steal.
Most Secure Types of MFA:
- Hardware Security Keys:
- How it works: Physical devices that plug into your device or use NFC to authenticate.
- Pros: Strong phishing resistance, no codes to enter, prevents credential theft.
- FIDO2/WebAuthn Password less MFA:
- How it works: Uses public key cryptography for authentication, eliminating passwords entirely.
- Pros: Strongest available protection against phishing, man-in-the-middle, and credential theft attacks.
- Examples: Windows Hello, Apple Face ID/Touch ID, security keys using FIO2/WebAuthn.
Why MFA matters in the ransomware threat landscape:
MFA is no longer a luxury or an advanced security option, it’s a baseline requirement in today’s threat landscape. With the 86% of data breaches involving stolen credentials, MFA adds a vital layer of defense that makes unauthorized access far more difficult. Even when passwords are stolen or phished, MFA can block an attack from escalating into a full-scale breach.
Real-world examples demonstrate how the absence of MFA can have severe consequences. In the Colonial Pipeline ransomware attack in 2021, hackers gained access through a single compromised VPN account that did not have MFA enabled, leading to widespread fuel shortages across the U.S. East Coast. Similarly, in 2022, LastPass confirmed that an attacker used credentials stolen from a developer’s personal device to access sensitive cloud backups, MFA was not enforced on the cloud storage environment, allowing the breach to occur.
These incidents reflect a recurring pattern: attackers often exploit the weakest link and unprotected login credentials are consistently that point of failure. MFA is one of the most effective and accessible ways to close that vulnerability.
Common excuses vs harsh realities:
Some organizations still fall back on common excuses to delay or avoid implementing MFA, often citing reasons such as cost, user inconvenience, or a belief that their existing security measures are good enough. Others assume that small or mid-sized businesses aren’t likely targets, however, these assumptions are dangerously outdated.
As we demonstrated earlier, not all MFA is created equally, and the harsh reality is that threat actors continue to evolve to defeat MFA solutions. A campaign by Russia-linked UNC6293 targeted high-profile academics by posing as U.S. State Department officials, coaxing victims into generating Google app-specific passwords (ASPs) thereby bypassing MFA entirely and granting persistent email access. Earlier this year, Microsoft has reported on a campaign by Storm-2372 where the threat actor deployed a phishing technique called “device code phishing” that tricked users into logging in to productivity apps while Storm-2372 actors captured the information from the login tokens which were then used to access compromised accounts. These examples highlight the sophistication of threat actors. In today’s threat landscape, failing to implement strong, phishing-resistant MFA could have major consequences.
Implementing MFA across your organization:
Implementing MFA effectively requires aligning usability with strong security to reduce risk without creating unnecessary friction for users.
- Obtain Leadership buy-in. Be ready with to make the business case by showcasing the cost of a successful network breach, and frame MFA as an essential risk mitigation strategy for the entire organization.
- Use the strongest MFA methods possible- where appropriate. Consider a risk-based MFA can dynamically adjust authentication requirements based on context, such as user location, device, or behavior. It may make sense to prioritize phishing-resistant MFA such as hardware security keys or passkeys over SMS or email-based MFA for critical accounts and the most sensitive systems. It may make sense to offer other MFA solutions in other areas of the network.
- Enforce MFA across all critical accounts. MFA should be applied to all privileged accounts, remote access, VPNs, email systems, and cloud services to close common entry points for attackers.
- Educate users on MFA security. Demonstrate the ease of use of modern MFA solutions. Training employees to recognize and avoid MFA fatigue attacks (e.g. repeated push notifications) and phishing attempts that trick them into revealing one-time codes.
- Monitor and manage MFA enrollments. Require user identity verification before MFA registration or device changes to prevent attackers from hijacking accounts during enrollment processes
- Regularly review MFA logs and alerts. Enabling alerting on suspicious MFA activity, such as repeated failed attempts or unusual login locations, to detect and respond to potential breaches early.
- Implement fallback securely. Use secure backup methods, such as backup hardware tokens or securely managed recovery codes, instead of fallback to SMS or email, and train help desk to verify identity rigorously before resetting MFA.
MFA Bypass Trends:
Threat actor groups are increasingly leveraging advanced techniques to bypass MFA, exploiting both human behavior and technical loopholes. One prominent method is MFA fatigue, also known as prompt bombing, where attackers flood a user’s device with repeated MFA push notifications. The goal is to wear down the user into approving a login request out of frustration or confusion, often during busy hours when such notifications may be misinterpreted as legitimate. In Uber’s 2022 incident, the Lapsus$ group used an “MFA fatigue” tactic bombarding a contractor with push notifications until one was unwittingly approved which then allowed the adversary to enroll a rogue device and breach the system, exposing sensitive internal data and prompting calls for upgraded MFA measures like FID02 security keys and tighter authentication controls across sectors.
In parallel, adversary-in-the-middle (AiTM) phishing kits like EvilProxy, Evilginx2, and Tycoon 2FA are becoming more sophisticated. These toolkits capture login credentials, MFA tokens, and session cookies in real time by impersonating legitimate login flows through a proxy. By offering these kits as phishing-as-a -service (PhaaS), cybercriminals can now launch effective MFA bypass attacks with minimal technical skills.
Finally, classic techniques such as SIM swapping and SMS interception continue to pose a threat. Attackers hijack a victim’s phone number to receive SMS-based authentication codes, which remains a risk for users relying on less secure MFA methods. These evolving strategies highlight the growing need for phishing-resistant MFA solutions, such as FIDO2 security keys and passkeys, which are less susceptible to interception or social engineering.
Conclusion:
In today’s ransomware-heavy threat landscape, MFA is no longer optional. While attackers continue to develop new methods to bypass MFA, the absence of strong, phishing-resistant MFA remains a consistent and easily exploited vulnerability. Organizations are encouraged to evaluate their risks, and identify MFA solutions that will meet their needs. . By embracing MFA alongside user education and continuous monitoring, organizations can significantly reduce the likelihood of ransomware incidents and credential-based breaches. Security leaders are recommended to prioritized MFA as a core element of organizational resilience, locking down digital access before attackers find the next weakest link.
Insights from our Weekly Ransomware Report.
Each week we publish our Weekly Ransomware Report (along with other all-hazards reports) through Gate 15’s Resilience and Intelligence Portal (GRIP). Contact us if you are interested in receiving the full report. Highlights from this week include:
- Most Active Threat Actors (victim number): SAFEPAY (15), Payouts King (12), and PLAY (5)
- Data Leaked Silverdale Baptist Church, Religious Institutions, United States, First seen: 2025-07-07 20:49:04 UTC
- Update: Data Leaked Metric Storage Systems, Retail Office Equipment, Canada, First seen: 2025-07-03 14:49:12 UTC
- Update: Data Leaked Arch-Con Corp., Real Estate, United States, First seen: 2025-07-07 18:24:13 UTC
Coming Up Next: “Digital Firebreaks: Network Segmentation for Containment.”
Network segmentation involves dividing a network into smaller, isolated subnetworks to limit the spread of malware. By segmenting critical systems from less sensitive areas, organizations can contain a breach and prevent it from affecting the entire network. This strategy minimizes potential damage and aids in faster recovery by restricting ransomware’s ability to move laterally across systems.
Gate 15 has worked across the Critical Infrastructure environment to develop cybersecurity plans and tabletop exercises for trade associations and owner/operators. We are pleased to offer 10% off ransomware exercises to new clients that are booked before 30 September 2025. Send out an email and mention this blog, and let’s discuss how to boost your organizational resilience together.
Join the GRIP! Stay informed of what’s new in all-hazards homeland security by joining the Gate 15’s Resilience and Intelligence Portal (GRIP). Join the GRIP! and join us in securing America’s people, places, data, and dollars. To join the GRIP, click the link above or here, scroll down and select the “Join the Grip!” button, or email our team at Gate15@Gate15.global.
The GRIP is one year old and to celebrate, we’re running an anniversary sale!!
Join the GRIP in July and use promo code HOTJULY2025 to receive a 20% discount!
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.