That MFA You Trust? Hackers Can Now Bypass It. Here's How.

For years, cybersecurity experts have told you that enabling Multi-Factor Authentication (MFA) is the single most effective step to secure your business accounts. You listened. You enabled it across your Microsoft 365 environment — for email, SharePoint, Teams, and OneDrive. You see the prompt, you approve it, and you feel secure.

A new, widespread phishing attack has found a way to exploit that feeling of security — bypassing your MFA entirely and gaining persistent, silent access to your accounts. This article explains exactly how it works, what it means for your Irish business, and the specific steps you need to take to defend against it.

What Is an MFA Bypass Attack?

This attack is clever because it doesn't try to crack your password or intercept your MFA code. Instead, it tricks you into handing the attacker a long-lasting key to your account — one that doesn't require a password or MFA code to use again.

The technique is known as consent phishing or, in technical terms, an illicit consent grant attack. It exploits the way Microsoft 365 (and other cloud platforms) allow third-party applications to connect to your account with your permission.

Here is how it unfolds, step by step:

1. The bait. You or a staff member receive a convincing email. It might look like a shared file notification, an invoice, a voicemail alert, or a bonus document. The branding looks right. The sender looks legitimate.

2. The click. The link takes you to what appears to be a genuine Microsoft sign-in page. You enter your username and password.

3. The MFA prompt — the twist. After entering your password, you receive a normal MFA prompt on your phone, just as you always do. You approve it.

4. The real trap. Immediately after approving the MFA, a new screen appears. This one is the crucial step. It is a Microsoft permissions page asking you to grant access to a new application — something innocuous-sounding like "Office365 Sync" or "Mail-archive". Because you just completed a legitimate-seeming login, you click "Accept".

That click is the moment the breach occurs. You have just granted the attacker's malicious application an OAuth access token — a persistent digital key that allows their app to read your mailbox, access your OneDrive files, browse your SharePoint documents, and monitor your Teams conversations. They do not need your password again. They do not need another MFA code. They are simply in, and they can stay in indefinitely.

This is a fundamentally different kind of attack from the phishing and social engineering attempts your team has been trained to spot. There is no suspicious attachment. No obvious red flag. The attacker is exploiting the legitimate permissions infrastructure built into Microsoft 365 itself.

Why This Is Particularly Dangerous for Irish SMEs

Once an attacker has this persistent access, they don't need to be technically sophisticated to cause serious damage. They can sit quietly in the background, monitoring your email and files, waiting for the right moment.

This last consequence is particularly serious. A compromised email account at one Irish SME can become the launchpad for Business Email Compromise (BEC) attacks against every organisation in your contact list. The trust your clients and suppliers place in your email address becomes a weapon.

Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.

How to Protect Your Business: A Prioritised Action Plan

Protecting against this threat does not require a large IT budget. It requires specific, deliberate action across three areas: your people, your Microsoft 365 settings, and your broader access controls.

1. Educate Your Team — This Week (Priority: Critical)

This is the most important step, and it costs nothing. Explain this specific attack to your staff. The key message is simple: no legitimate process will ever ask you to approve an unexpected application permission request.

If any team member sees a screen asking for consent for a new app they don't recognise — particularly after a login — they must stop immediately and report it to you or your IT provider before clicking anything.

This kind of targeted awareness is exactly what phishing protection training is designed to address. The psychology behind why smart people click bad links is well-documented: attackers exploit the momentum of a legitimate-seeming process to lower your guard at the critical moment. Understanding this mechanism is the first line of defence.

For a structured approach to building this awareness across your whole team, see our guide to building a human firewall through security awareness training.

2. Audit Your Microsoft 365 Application Permissions (Priority: High)

Right now, you may have no idea which applications have been granted access to your company's Microsoft 365 data. An IT administrator can review this in the Microsoft Entra admin centre (formerly Azure Active Directory).

Look for any unfamiliar or suspicious application names. Revoke permissions for anything you don't recognise. This is also a good time to review the broader principle of Least Privilege — ensuring that every user and every application has access only to what it genuinely needs, and nothing more.

For a comprehensive guide to locking down your Microsoft 365 environment, see Securing Your Microsoft 365 Environment: A Guide for Irish SMEs. It covers application permissions, conditional access, and the admin settings that make the biggest difference.

3. Restrict User Consent for Third-Party Applications (Priority: High)

Microsoft 365 has a built-in setting that can dramatically reduce this risk: you can disable the ability for non-administrators to grant consent to new applications entirely. This means any new app requesting access to company data must be explicitly approved by an administrator — not by any individual staff member who happens to click a link.

This is a single configuration change in the Microsoft Entra admin centre, but it closes the door on this entire class of attack. If you are not comfortable making this change yourself, it is a specific and manageable task to ask an external IT support provider to complete.

4. Implement Conditional Access Policies (Priority: Medium)

Conditional Access is a set of rules that can block or challenge sign-ins based on context — for example, flagging logins from unfamiliar locations, unmanaged devices, or unusual times of day. It is a core component of a Zero Trust security model, which operates on the principle of "never trust, always verify."

For Irish SMEs running Microsoft 365, Conditional Access is available on Microsoft 365 Business Premium and above. Our guide to Zero Trust for Small Businesses explains how to implement these principles without a large IT team or budget.

5. Strengthen Your Email Security (Priority: Medium)

While this specific attack exploits OAuth permissions rather than email spoofing, a strong email security baseline makes it harder for attackers to reach your staff with convincing phishing emails in the first place. Ensuring your domain has DMARC, DKIM, and SPF records correctly configured prevents attackers from impersonating your domain in emails to your clients and suppliers.

See Email Security Beyond Spam Filters: DMARC, DKIM, and SPF Explained for a step-by-step guide to implementing these controls.

What to Do If You Think You've Already Been Compromised

If you suspect a staff member may have already clicked "Accept" on an unfamiliar permissions request, act immediately:

1. Revoke the application's access in Microsoft Entra admin centre. Go to Enterprise Applications, find the suspicious app, and delete it.
2. Reset the affected user's password and revoke all active sessions.
3. Review the mailbox for any rules created by the attacker (e.g., rules that forward all email to an external address, or rules that automatically delete incoming messages).
4. Check sent items for any emails sent by the attacker impersonating the user.
5. Notify your IT provider and consider engaging an incident response specialist if sensitive data may have been accessed.
6. Assess your GDPR obligations. If personal data belonging to clients or employees was accessible, you may have a 72-hour notification obligation to the Data Protection Commission. Seek legal advice if unsure.

For a full incident response framework, see Building an Incident Response Plan: A Template for Irish SMEs.

Related Reading

If you found this article useful, these related guides cover the mitigations in more detail:

• MFA Everywhere: Why Multi-Factor Authentication Is Non-Negotiable in 2026
• Securing Your Microsoft 365 Environment: A Guide for Irish SMEs
• Privileged Access Management: Why Admin Accounts Are Your Biggest Risk
• AI-Powered Phishing: Why Your Employees Can No Longer Spot the Fakes
• The Psychology of Cyber Attacks: Why Smart People Click Bad Links

Sources: Computerworld — New phishing campaign tricks employees into bypassing Microsoft 365 MFA{:target="_blank" rel="noopener noreferrer"}, NCSC Ireland — Cyber Security Guidance for SMEs{:target="_blank" rel="noopener noreferrer"}

Take the Next Step

If strengthening your authentication controls is something you're thinking about, the best starting point is a structured conversation.

Book a free 20-minute call with our vCISO team. We work with Irish SMEs across every sector — no jargon, no scare tactics, just clear advice on what to do next.

Book Your Free 20-Minute Call →