Kuboid Secure Layer LogoKuboid Secure Layer
Back to Intelligence
March 19, 2026Vinay KumarMFA

Why Multi-Factor Authentication Won't Stop Social Engineering Attacks

Cover Image for Why Multi-Factor Authentication Won't Stop Social Engineering Attacks

Why Multi-Factor Authentication Won't Stop Social Engineering Attacks

IT support received a call from someone claiming to be the company's CFO. Travelling. Locked out. Urgent MFA reset needed before a board meeting.

The caller knew the CFO's name, the internal system names, the right acronyms. They sounded exactly like someone who belonged. The helpdesk agent — trained to be helpful, under pressure to resolve tickets fast — reset the MFA.

The caller was not the CFO.

Forty minutes later, the attacker had domain administrator access. This is the exact pattern Unit 42 documented in their 2025 Global Incident Response Report when tracing Muddled Libra's intrusions across dozens of enterprises. And the chilling detail: every single target had MFA enabled.

MFA Is Still Essential. Let's Be Clear About That.

Before anything else — this post is not an argument against MFA. Enable it everywhere. On every account. Right now, if you haven't.

MFA stops an enormous category of attacks. Credential stuffing, brute force, password spraying, leaked password reuse — if your employees' passwords are sitting in a breach database somewhere (and statistically, they are), MFA is the control that keeps those stolen credentials useless.

79% of business email compromise victims investigated in 2024–2025 had MFA enabled — which tells you two things simultaneously. First, attackers are now specifically targeting organisations that have MFA. Second, having it wasn't enough on its own.

MFA protects credentials. It does not protect people.

The Two Ways Attackers Bypass MFA Through Social Engineering

Attack 1: The Help Desk Reset

This is the Muddled Libra / Scattered Spider playbook, documented in breach after breach since 2022.

The attacker doesn't try to beat your MFA. They phone your IT helpdesk and ask for it to be reset.

They've researched beforehand. LinkedIn gave them employee names, titles, and reporting structures. The company website gave them system names and office locations. Enough detail to build a completely convincing pretext. When the helpdesk agent asks a verification question — "What's your employee ID?" or "Who do you report to?" — the attacker has the answer ready.

The agent resets the MFA. The attacker logs in. And because the login now shows valid credentials plus freshly issued MFA, every security system logs it as normal.

Attack 2: MFA Fatigue (Prompt Bombing)

This one requires the attacker to already have your password — usually from a phishing attack or a credential dump. They then attempt login repeatedly, triggering MFA push notifications to your phone. Dozens of them. Sometimes hundreds.

The goal: wear you down until you tap "Approve" just to make it stop.

Prompt bombing represented 14% of all social engineering incidents in 2024, and succeeded in more than 20% of social attacks against public sector organisations in 2025.

This is how the 2022 Uber breach worked. An attacker purchased a contractor's credentials, then bombed them with MFA requests for hours — eventually calling them on WhatsApp, claiming to be Uber IT, and asking them to approve one request as part of a "security verification." They did. The attacker was in.

In 2025, this technique has been weaponised by ransomware groups including Akira, which targeted SonicWall VPN environments using a combination of stolen credentials and MFA push spam.

If your phone suddenly started receiving 30 MFA requests at midnight, what would you do? What would your team do? It's worth thinking about before an attacker tests the answer.

What Actually Stops These Attacks

1. A Strict, Written Help Desk Identity Verification Policy

This is the highest-impact, lowest-cost control available to most organisations — and it's almost never implemented properly.

Every MFA reset, password change, or access modification must require identity verification through a channel that cannot be spoofed by a caller. That means:

  • Video call with face verification using a known internal contact, not the person requesting the reset
  • Manager callback via a number stored in your directory — not one provided by the caller
  • Hardware token or ID card verification in person for high-privilege accounts

The policy must also state: no exceptions for urgency. Urgency is the social engineer's most reliable tool. The moment your helpdesk feels empowered to say "I can't reset this without proper verification, regardless of how important you say this is" — you've removed the most exploited entry point in your entire security stack.

2. Replace Push Notifications With Phishing-Resistant MFA

Standard push-based MFA — the kind where you get a notification and tap "Yes" — is vulnerable to both fatigue attacks and adversary-in-the-middle phishing proxies (tools like Evilginx that intercept MFA codes in real time).

Upgrade to one of these:

  • FIDO2 / Hardware Security Keys (YubiKey, Google Titan) — cryptographically bound to the specific website, impossible to phish. The gold standard. 87% of US and UK enterprises have deployed or are actively rolling out passkeys, per a 2025 FIDO Alliance study.
  • Number matching — the user must type a code shown on the login screen into their authenticator app. Stops prompt bombing because each approval is tied to a specific session the user initiated.
  • Passkeys — increasingly supported across Microsoft, Google, Apple, and major SaaS platforms.

If a budget-constrained move is needed: number matching is free in Microsoft Authenticator and Google Authenticator. Enable it today.

3. Conditional Access and Anomaly Detection

Even with strong MFA, set controls that flag or block logins that look wrong:

  • Login from a new device or country triggers additional verification
  • Login at unusual hours requires manager approval
  • Rapid privilege escalation after login generates an immediate security alert

The Muddled Libra playbook moves fast — from helpdesk call to domain admin in 40 minutes — specifically because most environments don't alert on rapid privilege changes after a legitimate login. That gap is closable.

4. Just-in-Time (JIT) Access for Privileged Accounts

Admin accounts should not exist as persistent, always-available logins. Just-in-time access means elevated permissions are granted on demand, for a defined time window, with an approval workflow. An attacker who bypasses MFA and gets into a standard account gets significantly less value if admin access requires a separate, time-limited grant that leaves an auditable trail.

The Policy Your IT Team Needs Before Anything Else

Before you buy new tools or upgrade MFA methods, write this policy and train your helpdesk on it:

"No MFA reset, password change, or access modification will be processed based solely on a phone call, regardless of who the caller claims to be or how urgent the request appears. All such requests require [specific second-channel verification]. This applies without exception to all accounts including executives."

Print it. Put it on every helpdesk agent's wall. Test it with a simulated vishing call.

Because here's the truth — the attacker who called and pretended to be your CFO isn't testing your technology. They're testing your people. And right now, without that policy in writing, your people have no script to follow when the pressure hits.

The Honest Assessment

MFA is not the finish line. It's a layer — an important, essential, non-negotiable layer — in a stack that must also include process, training, and human verification protocols.

The organisations we work with at Kuboid Secure Layer that get this right aren't necessarily the ones with the most sophisticated tools. They're the ones where the helpdesk agent feels completely confident saying "I can't do that without proper verification" — and where that response is backed by a policy that the CEO signed off on.

If you'd like to understand where your current identity verification protocols stand — or run a simulated vishing test against your helpdesk — our Human Risk Assessment service is built for exactly this. We test it the way a real attacker would.

Does your IT support team have a documented, tested protocol for MFA resets? If not — or if you're not sure — that's the gap most worth closing this week. Drop a comment or reach out directly. You'd be surprised how many teams discover it's missing only after we ask.

This is part of our ongoing series on social engineering. Read the full series at kuboid.in/blog.

Kuboid Secure Layer provides social engineering simulations, human risk assessments, and security advisory for businesses across India and beyond. Learn more.

Vinay Kumar
Vinay Kumar
Security Researcher @ Kuboid
Get In Touch

Let's find your vulnerabilities before they do.

Tell us about your product and we'll tell you what we'd attack first. Free consultation, no commitment.

  • 📧support@kuboid.in
  • ⏱️Typical response within 24 hours
  • 🌍Serving clients globally from India
  • 🔒NDA available before any discussion
Loading form...