Why MFA and conditional access aren’t enough to stop modern email attacks 

Multi-factor authentication (MFA) strengthens account security by requiring two or more proof points: something you know (a password), something you have (a one-time code or hardware token), or something you are (a fingerprint or face scan). MFA stops many automated attacks, but it is not foolproof. Attackers can still combine technical gaps with human tricks to get around it.

A Digital Health study notes that “cyber attackers have relentlessly targeted the healthcare sector,” exploiting IoT and IoHT device connectivity to infiltrate systems through weak or reused passwords. During the COVID-19 pandemic, the number of attacks surged, with “over 1,500 reported malicious cyber-attacks related to the pandemic, disrupting the healthcare sector, which is the second-most targeted industry for ransomware.” Within the study sources, it’s stated that “the cost of cybercrime worldwide could increase to $10.5 trillion by 2025.”

Once inside, attackers move quickly to hide their tracks. Common steps include creating mailbox rules that auto-archive or delete security alerts, forwarding mail to external accounts, and setting up out-of-office messages to mask unusual activity. Preventing account takeover means closing legacy-protocol gaps, enforcing phishing-resistant MFA, and monitoring for subtle behavioral changes.

The problem with MFA 

Introducing friction and complexity

Users often find MFA processes cumbersome, leading to usability issues such as authentication fatigue, where frequent MFA prompts overwhelm or frustrate users. This can result in decreased vigilance, such as recklessly approving push notification prompts or opting for less secure MFA methods. 

As one technical report from the International Business Machines Corp explains, “We often perceive that there is a tradeoff between usability and security. Security concepts are often difficult to understand, or implementations are awkward to use.” The research emphasizes the need to “achieve a balance between security and usability, specifically, authenticate just enough to maintain sufficient security, leveraging situation, context, and history, while accommodating situational impairments and personal preferences.”

High friction may also motivate users to seek workarounds, like writing down temporary passwords or disabling MFA when possible, thereby weakening the intended security posture. Such human factors undermine the effectiveness of MFA and create exploitable vulnerabilities.

The technical issue

MFA solutions are only as strong as their weakest authentication factor and the ecosystem in which they operate. One common vulnerability lies in legacy systems that do not fully support modern MFA protocols. 

The review explains, “The concepts of MFA can be applied to healthcare, where security can often be overlooked. The security requirements identified result in stronger methodologies of authentication, such as hardware solutions in combination with biometric data to enhance MFA approaches.”

For example, older email access methods such as IMAP, POP3, and SMTP may bypass MFA, providing attackers with an entry point. Integration issues with legacy infrastructure can result in incomplete adoption of MFA or the opening of fallback channels, rendering the additional authentication layers ineffective.

The challenge with biometrics

Biometric-based authentication, increasingly used in MFA, presents its own set of challenges. Biometric systems tend to be probabilistic rather than deterministic, with accuracy affected by environmental conditions and sensor quality. Additionally, biometric technologies may exhibit bias, resulting in lower accuracy across different demographic groups and leading to false rejections or false acceptances. 

The authors from the previously mentioned review also caution, “Studies show that oversaturating security can lead to other issues such as complicated security procedures that result in poor user security posture and a lack of awareness of good practices.”

Hardware dependencies mean device malfunctions or environmental factors can prevent legitimate authentication attempts. Moreover, compromised biometric data cannot be simply reset or changed like passwords, raising long-term security concerns if biometric templates are leaked.

Software challenges

Software-based MFA mechanisms, including time-based one-time passwords (TOTPs) and push-based notifications, also have weaknesses. TOTPs can be intercepted via phishing or man-in-the-middle attacks, and push notifications are susceptible to social engineering tactics such as MFA fatigue or prompt bombing. 

As one Scientific Reports study points out, “Traditional authentication methods such as PINs, passwords, and one-time passwords have shown limitations, especially in the wake of the COVID-19 pandemic, which accelerated the demand for seamless and contactless solutions.”

Attackers exploit these weaknesses by bombarding users with approval requests until one is accepted. Furthermore, MFA tokens or session cookies can be stolen and reused if session management and conditional access policies are not robustly enforced.

How doors are left open by old protocols 

Legacy systems struggle to integrate with modern MFA solutions. Many healthcare and IoT devices run outdated operating systems or firmware that do not support advanced authentication standards or modern conditional access policies. This incompatibility creates insecure fallback or alternate authentication paths that attackers can leverage. Many legacy environments lack routine patching and update capabilities, leaving long-known software vulnerabilities unaddressed and amplifying risks.

As one analysis in the Medical Devices: Evidence and Research explains, “The increased use of wireless network connectivity and connection of devices to the Internet, coupled with the desire to make use of the information collected on a medical device in other health systems, has made medical devices more open and subsequently vulnerable to cybersecurity threats.” These vulnerabilities, once limited to isolated devices, now extend across interconnected clinical systems, creating new risks for MFA-dependent security frameworks.

The risk is compounded in healthcare settings where legacy medical devices and hospital information systems coexist. These devices often communicate over weakly secured channels or use proprietary protocols with poor encryption and authentication. Hackers exploit these weaknesses to bypass MFA and pivot through networks, compromising sensitive patient data and operational systems that support patient safety.

Human factors can also contribute: reliance on legacy protocols is sometimes due to operational inertia or budget constraints, delaying system modernization and enforced security hardening. Some legacy protocols lack visibility in security monitoring tools, allowing attackers to maintain persistence while evading detection.

Conditional access as a policy-based defense in Microsoft 365 and similar environments

There are several reasons why conditional access and MFA aren’t enough on their own. Attackers have learned to get around them by using tactics like phishing or MFA fatigue, sending repeated approval requests until a tired or distracted user finally clicks “approve.” Older systems and outdated protocols that don’t fully support MFA are another weak spot, often giving adversaries a way to bypass conditional access controls entirely. 

Even when MFA is in place, attackers can hijack session tokens or steal cookies to keep access open without triggering any new authentication checks. And because conditional access depends on accurate signals about user behavior and device trust, hackers constantly work to mimic legitimate activity or compromise trusted devices to stay under the radar.

An anonymous user on the Microsoft forum noted, “One of my clients is a new business that I set up less than two years ago with Microsoft 365 cloud email. From the original setup, the security defaults were set, and I left them on. The accounting user had MFA set up with her phone and Microsoft Authenticator. She is a fairly astute user who does not appear to be click happy. I looked at her computer and I see no extraneous sketchy programs other than McAfee. I have scanned it with several malware tools and AV with zero hits on everything. Somehow they got her password and signed on. The sign-in logs in the Entra admin center show that the hackers got in with single-factor authentication. It seems legit users are also getting in with single-factor authentication regularly. The legacy per-user MFA was never enabled for any user because the security defaults were in place from day 1. The user has no recollection of entering her password on a web page or being phished in any way she can recall. She is one of the business owners, so there is no incentive to not be truthful with me. I am baffled at how the hackers got in with single-factor.”

Conditional access is meant to act as a gatekeeper, but one misconfiguration or overly broad rule can create severe exposure. Striking the right balance between usability and security adds to the challenge; tighten policies too much, and workflows slow down; loosen them, and security gaps widen. 

How OAuth and session cookies bypass reauthentication

The OAuth protocol, commonly used for delegated access and single sign-on (SSO), allows users to grant third-party apps access to specific resources without sharing their passwords. It works through access tokens issued after authentication. Once a token is given, users typically don’t have to log in again during that session; the token itself provides ongoing access until it expires or is revoked. 

While convenient, this token-based model can unintentionally bypass reauthentication by maintaining continuous access without requiring re-entry of credentials. The security of this setup depends heavily on how tokens are handled, stored, and validated. As one Journal of Medical Imaging study on cloud-based medical imaging explains, “OAuth 2.0 authorization server provides client applications (e.g., medical imaging services) a ‘secure delegated access token’ which permits client applications to access resource owners’ (RO) (e.g., patients) resources (e.g., medical imaging documents) if ROs approve the actions performed by the client application.” 

The same research notes that “maintaining a separate user identity repository in each domain can lead to information inconsistency and synchronization problems,” which shows how federated and delegated identity systems can create security gaps when tokens are not centrally managed or properly validated.

Session cookies often work alongside OAuth to keep users signed in. These cookies store authentication tokens or session identifiers in the browser, allowing you to move between pages or apps without re-entering credentials. But suppose an attacker steals a cookie or an OAuth token through cross-site scripting, a man-in-the-middle attack, or malware. In that case, they can impersonate the user and gain full access to protected systems without triggering MFA or reauthentication. In effect, token or session hijacking turns convenience into vulnerability, giving attackers persistent, unauthorized access.

OAuth’s structure can create openings for exploitation. For instance, improper validation of redirect URIs during the authorization process can allow attackers to intercept authorization codes and exchange them for tokens, gaining access without ever knowing the user’s credentials. Long token lifespans and automatic refresh mechanisms further extend the window of risk, as tokens can silently renew without the user’s awareness. As long as the token remains valid, the system assumes trust, even if that trust has been compromised.

How AI and behavior detection help identify anomalies 

Deep learning models like Convolutional Neural Networks (CNNs), Recurrent Neural Networks (RNNs), and Deep Neural Networks (DNNs) have become highly effective tools for detecting anomalies because they can process massive, complex datasets and identify patterns that humans or traditional systems might overlook. 

RNNs, for instance, are particularly good at analyzing sequences such as login times or access paths, while CNNs excel at detecting irregularities in network traffic or user activity logs. These models learn to distinguish normal behavior from suspicious activity, enabling them to identify even subtle or novel threats, such as zero-day attacks, that rule-based systems often miss.

A 2025 meta-analysis ‘AI integration in cybersecurity software: Threat detection and response’ found that AI-enhanced systems achieved detection accuracy rates between 85% and 97%, outperforming traditional rule-based systems that typically range from 72% to 81%

Behavior-based detection systems focus on recognizing the warning signs that often appear before an attack, such as logins from unusual locations, spikes in data transfers, or activity during off-hours. By training machine learning algorithms on baseline data that defines what normal looks like, these systems can flag anomalies in real time. 

That means potential intrusions can be detected and contained before they cause serious harm. Recent progress in explainable AI (XAI) adds another layer of value, helping analysts understand why a particular action was flagged and improving both trust and accuracy in automated decisions.

Paubox’s generative AI features take this a step further by creating simulated attack scenarios to test and strengthen detection systems. It can generate realistic adversarial behaviors or synthetic threats, allowing organizations to expose weaknesses before real attackers do. This proactive approach helps fine-tune anomaly detection models, making them more resilient against evolving cyber threats.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is MFA?

MFA is a security mechanism that requires users to verify their identity with two or more distinct authentication factors before gaining access to an account or system.

How does MFA work differently from single-factor authentication?

While single-factor authentication requires only one method (usually a password) to access resources, MFA requires multiple credentials from different categories. For example, after entering a password, a user might be required to enter a one-time code sent to their smartphone or approve a push notification.

Can MFA completely prevent account compromise?

While MFA enhances security, it is not foolproof. Attackers can still bypass MFA using techniques such as phishing for one-time codes, social engineering to trick users into approving logins, exploiting vulnerabilities in legacy systems that bypass MFA, or stealing session tokens.