Cybercriminals have successfully breached educational organizations by employing sophisticated techniques to bypass Multi-Factor Authentication (MFA). These attacks leverage a combination of phishing, social engineering, and session hijacking to gain unauthorized access to sensitive institutional data and systems.

Security researchers have documented campaigns where threat actors specifically target faculty, staff, and students within the education sector. The methods used demonstrate a clear evolution in tactics designed to circumvent widely adopted security measures like MFA.

MFA Bypass Techniques in Action

One primary method observed is the use of Adversary-in-the-Middle (AiTM) phishing kits. In these attacks, a fraudulent website is placed between the user and the legitimate login portal. When a user enters their credentials and completes the MFA challenge, the attackers capture not just the password but also the session cookie. This cookie allows the attacker to access the user’s account without needing to re-authenticate or bypass MFA again for the duration of the session’s validity.

Another documented tactic is MFA fatigue, also known as push bombing. After compromising a user’s password, attackers repeatedly send push notification requests to the user’s authentication app. The goal is to annoy or confuse the target into approving the login request, thereby granting the attacker access.

Attackers have also used direct social engineering. They contact an organization’s IT help desk, impersonate a legitimate user, and convince support staff to reset the user’s password or re-register a new MFA device that is under the attacker’s control.

Observed Impact on Educational Institutions

Once initial access is achieved by circumventing MFA, threat actors proceed to move laterally within the network. Their documented post-compromise activities include accessing and exfiltrating sensitive student and employee data, deploying ransomware, and using the compromised accounts for further phishing campaigns. These real-world incidents highlight the operational success of these specific MFA evasion strategies against the education sector.

Source: https://www.malwarebytes.com/blog/news/2025/12/attackers-have-a-new-way-to-slip-past-your-mfa