Even when companies deploy MFA, it often isn’t comprehensive. In fact, Microsoft reports that “more than 99.9% of compromised accounts” had no MFA enabled—underscoring that any missing protection is a direct invitation to attackers. Partial rollouts, policy carve-outs, or legacy systems without MFA leave exactly those holes adversaries exploit. As one industry analyst bluntly puts it, “If identity isn’t secure everywhere, it’s not secure anywhere.”

Common MFA Misconfigurations and Gaps

Partial Deployments

Some teams or apps get MFA while others don’t. In practice, “rollout gaps are risk amplifiers.” Attackers love this—they probe the paths not behind MFA (old VPNs, on-prem apps, shared accounts) to steal passwords or session tokens. Bugcrowd notes that “legacy protocols, systems and misconfigured services often lack MFA enforcement,” giving hackers easy entry.

VIP/Executive Exemptions

Ironically, organizations sometimes exclude top executives “because they are assumed to be too busy.” But these high-value targets must have MFA. Security experts warn that “all executive accounts should be protected with multi-factor authentication” (CloudSEK likewise advises to “enable MFA for all their accounts, including email, company assets and network”). Skipping MFA on any C‑suite account invites targeted phishing (whaling) and fraud.

Weak MFA Methods

Using only SMS or easy OTPs creates weak links. Today’s attackers resort to push-bombing (“MFA fatigue”) or phone tricks. Microsoft observed 40,000+ MFA-fatigue attacks in one month alone. If users get spammed with approval prompts, someone will eventually tap “Allow” out of frustration. Even strong passwords + push prompts can be defeated this way.

Configuration Loopholes

Conditional access rules or trust relationships can bypass MFA. For example, geographic whitelists or fixed IP ranges can be spoofed. Some password-reset portals or shared machines may not enforce a second factor, as Bugcrowd observes. These gaps let attackers reset or replay sessions without ever seeing an MFA prompt.

Each of these gaps “provides attackers with easy access.” In other words, “having MFA” isn’t enough if it’s not everywhere. Partial or inconsistent enforcement basically restores the old password-only world—and that’s exactly what threat actors count on to succeed.

How Phishing and MFA Bypass Attacks Work

Attackers have built toolkits to sidestep or exploit MFA holes:

• Man-in-the-Middle Phishing: Sophisticated phishing kits (like Evilginx) intercept a user’s login and MFA codes in real time. The user thinks they logged into the real portal, but the attacker’s proxy captures both password and OTP/token, granting account access without a second prompt.
• Session Hijacking: If an attacker steals a valid session token (e.g., via a compromised device or network), they can often log in as that user without triggering another MFA challenge.
• MFA Fatigue (“Prompt Bombing”): As noted, attackers repeatedly send push notifications until a user approves one, banking on human impatience.
• SIM Swapping or Malware: SMS-based codes are vulnerable to phone attacks. Malware on a user’s phone can capture OTPs as they arrive. Once an attacker controls your phone number (via SIM swap), they can receive your SMS MFA codes.
• Social Engineering: Attackers trick users into revealing their codes—for example, by sending a fake “we sent you a code” message over WhatsApp.

In short, MFA only stops common attacks when every user and path requires it. If some accounts slip through or use weak factors, adversaries still find a way in. Security teams note that even with MFA enabled, criminals “bypass or manipulate MFA” and then register a new device or backdoor to persist in an account.

How Black Birch Group’s Concierge Desk Ensures Complete MFA Coverage

At Black Birch Group, our IT Concierge Desk is built to catch exactly these blind spots. Our security Pods perform end-to-end audits of MFA across your organization:

• Comprehensive Audits: Pods inventory every user, device, and application to verify MFA status. No one—from interns to VIPs—is skipped. If an executive or contractor isn’t enrolled, Pods flag it immediately. This aligns with industry guidance: compliance now demands “MFA for every user, system, and action” with “no carveouts.”
• Enforcement Across Platforms: Whether your apps run in Azure AD, Okta, Google Workspace, or on-prem systems, Pods help enforce uniform MFA policies. Misconfigurations (e.g., old protocols or legacy portals) are identified and fixed so attackers can’t dodge a second factor.
• Eliminating Exceptions: Any conditional bypass or VIP exemption is treated as a critical risk. Pods work with you to remove trust-by-default rules (like IP or user-agent whitelists) that bypass MFA. We ensure your policies match best practices.
• Strong, Phishing-Resistant Methods: Pods advocate migrating from SMS and short codes to phishing-resistant MFA (hardware tokens, FIDO keys, etc.). Even Microsoft recommends hardware/FIDO methods as the gold standard.
• Ongoing Management: New systems and users come online all the time. Pods continuously monitor MFA coverage, rolling out protection for new employees, integrated SaaS apps, or changed network environments. This prevents “drift” where MFA gaps reappear.

In practice, our Pods become part of your team, enforcing MFA policies day-to-day. Because every insider, contractor, and device is scrutinized, there are no “hidden” accounts waiting to be phished. We essentially turn the NYDFS dictum into action—leaving “nowhere left to hide” for attackers.

Key Takeaways and Next Steps

• Don’t assume “some MFA” is enough: Even one unprotected account can undo your security. In a breach at Snowflake, over 160 customer accounts were hijacked solely because they lacked MFA. Make 100% coverage the goal.
• Audit for exceptions immediately: Use tools or experts to find any users or apps bypassing MFA. This includes legacy systems, default/shared accounts, or privileged logins.
• Mandate phishing-resistant MFA: Push notifications and SMS have weaknesses. Move to stronger methods (hardware tokens, FIDO keys, etc.).
• Include VIPs and contractors: Enforce MFA on top executives and third parties alike. Don’t exempt leaders from security.
• Partner with security experts: Staying ahead of MFA gaps is a constant effort. Our Concierge Desk can proactively manage MFA across your tech real estate, so you don’t have to. BBG’s Pods will help you implement consistent MFA everywhere, catching oversights before attackers do.

Multi-factor authentication is a critical defense, but only if fully implemented. By recognizing and fixing misconfigured or incomplete MFA early—and by enlisting services like our Concierge Desk to enforce it—you turn a checkbox into real protection.

Sources: learn.microsoft.com, david-canellos.medium.com, bugcrowd.com, hackernoon.com, abnormal.aiironscales.com, cloudsek.com