Morey Haber, Chief Security Advisor, BeyondTrust, warns MFA is no longer foolproof, detailing eight common attack methods and urging organizations to strengthen authentication with phishing-resistant tools, vigilant monitoring, and robust identity-security practices.
The United Arab Emirates (UAE) remains a high-priority target for cyber-threat actors. According to 2025 figures from the UAE Cyber Security Council, more than 223,800 digital assets in the UAE are vulnerable to attack, and half of all critical vulnerabilities have remained unaddressed for more than five years. This is particularly alarming as the authority also noted a 58% increase in the number of ransomware groups active in the country.
Digital businesses in the UAE are subject to the same challenges that plague other countries around the world. They also have access to the same solutions, but they differ in that they operate in a nation that has a stellar reputation for being among the first to adopt emerging technologies. In cybersecurity, once upon a time, MFA (multifactor authentication) was such a technology. Its reputation as the silver bullet that could stop credential-based attacks (password-spraying, credential stuffing, and single-factor credential compromise, for example) in their tracks propelled it into the mainstream. But MFA has since fallen into disrepute since threat actors have found ways to circumvent its protections.
I often repeat the industry mantra: “Why hack in when you can log in?” From airlines to software vendors, we repeatedly see victims of these logins in the headlines. While having MFA is certainly better than not having it, modern enterprises can no longer treat it as a “checkbox” security requirement. Rather, MFA has become a mandate in its own right, with its own due diligence and best practices. We begin with some of the most common abuses of MFA systems.
MFA fatigue attacks
The fatigue attack is simple yet effective. Spam a user with a steady flow of push notifications until they, through accident or irritation, finally approve the request. The 2022 breach of Uber used this approach on a contractor. Microsoft and Cisco have also fallen prey to it.
Real-time MFA phishing
Adversary-in-the-middle (AiTM) toolkits such as Evilginx and Modlishka allow attackers to set up proxies between users and genuine services. Threat actors can then capture credentials and MFA codes on watering-hole websites or through Infostealers. They may even seize the session token, which allows them credentials-free access until the token expires.
SMS and MFA SIM-swapping
Many users who have been exposed to MFA will have experienced it through SMS, which is its weakest form of MFA. Indeed, many governments strongly advise against the use of SMS-based MFA. By mimicking a cellphone tower using Stingray technology, attackers can clone cell numbers or convince carriers to migrate the number to a new SIM in the attacker’s possession – a SIM swap. This allows interception of SMS-based codes, allowing the attacker to reset passwords and compromise all service accounts associated with a device.
Infostealers
Raccoon Stealer, RedLine, and Lumma are examples of infostealers – malware that dispatches a range of payloads, like malicious browser extensions, that have a sole purpose. Infostealers seek out and steal sensitive information such as one-time passcodes, secrets, session cookies, and even MFA tokens stored in memory after authentication. If tokens are not duly protected, then any browser that auto-logins users can only be protected by MFA during the first logon.
Social engineering
Perhaps the easiest way around MFA does not involve technology at all. The threat actors can simply call the helpdesk and con a human agent to reset a device or password or disable MFA outright. Threat actors can even try stories of lost or stolen devices. The Lapsus$ group is reported to have used this approach knowing only the basic facts about an employee. Strict reverification procedures are required to prevent MFA systems being compromised in this way.
OAuth attacks
OAuth allows users to grant data and systems access to applications without exposing their username or password. If a nefarious entity, such as an infostealer, were to ask for access and the user were to manually grant it, they would be creating the so-called “confused deputy problem” where an unauthorized process coopts an authorized one to gain access when privileges should never have been granted in the first place. This problem may even persist if the user is duped into granting persistent access because tokens created for OAuth are long-life, refreshable, and designed to continuously bypass reauthentication. Not even MFA can defend against OAuth abuse.
Legacy authentication
Some systems like legacy email and VPN protocols (IMAP, SMTP, PPTP, etc.) require addons to support MFA. Threat actors exploit this by going after exposed services with stolen, single-factor credentials that are simply just not MFA enabled.
Biometric spoofing
With the rise of AI, fingerprints, deepfake voices, and even faces, can be sufficiently cloned to fool MFA solutions. Such attacks have not yet been seen frequently in the wild, but examples have been recorded. High-value targets and regions such as the GCC, where attackers’ rewards can be potentially higher, should be prepared for these emerging methods.
What to do?
When tackling the now-imperfect nature of MFA it is important not to abandon it altogether. It has rightly taken a place among industry best practices. But its inclusion can no longer be considered sufficient on its own. Today, MFA should be phishing resistant. FIDO2/WebAuthn hardware tokens or passkeys can help here. Organizations can also block access from untrusted devices, geographies, and legacy protocols. Session tokens should be frequently rotated and anomalous session activity should be relentlessly tracked. Reauthentication should be forced when necessary, especially for any changes in privileged roles.
Users must be regularly (not just annually) made aware of the limitations of MFA through security-awareness training. This includes support staff, who must be trained to never rely on caller information alone. Modern auth protocols like OAuth2 or SAML must be implemented along with a trusted identity-security solution that can detect MFA compromise.
MFA is still a critical element of a modern security posture, but only if executed with apt consideration of modern challenges. Without allowing for all the vectors described here, organizations invite the threat actor not to hack in but to log in. UAE enterprises owe it to themselves to ensure that if they are targeted, their would-be assailants would find it as difficult as possible to breach the organization.