Modern phishing techniques: how attackers bypass MFA and outsmart filters

Beyond fake login pages

For years, phishing meant a crude clone of a login page and a hope that someone would type their password. Defenders responded with spam filters, link rewriting, multi-factor authentication (MFA) and security awareness. So attackers adapted. The techniques below are the current professional tradecraft seen across Europe - industrialised through Phishing-as-a-Service kits and increasingly AI-assisted lures, according to ENISA threat reporting. Phishing remains the leading initial-access vector in the EU.

What unites these methods is that they target the gaps between controls: the moment between a valid login and a valid session, the human reflex to make an annoying prompt stop, or trust in a familiar popup. None of them require breaking encryption. They are social-engineering problems wearing technical clothing, which is exactly why they reward defenders who understand both layers. If you are new to the basics, our overview of the different types of phishing is a useful companion to this article.

Adversary in the middle: real-time proxies that defeat basic MFA

Adversary-in-the-middle (AiTM) is the technique that quietly broke a lot of MFA. Instead of a static fake page, the attacker runs a reverse proxy that sits between the victim and the real service - for example a genuine Microsoft 365 login. The victim sees the real site (because they are talking to it, relayed through the proxy), enters their password, and completes the MFA challenge as normal.

The catch is that the proxy captures not just the password but the authenticated session token the service issues afterwards. With that token, the attacker is logged in as the user - MFA already satisfied. Ready-made AiTM kits such as the widely reported Tycoon2FA have made this approach accessible to non-experts. Because the user genuinely authenticated, basic MFA prompts that simply ask 'approve / deny' offer little protection here.

• The lure links to an attacker-controlled proxy domain, not the real service.
• The proxy relays the live login, so the page and MFA flow look entirely authentic.
• The session token - not the password - is the real prize, granting immediate access.
• SMS codes, one-time passwords and basic push approvals are all relayed transparently.

MFA fatigue and push bombing

MFA fatigue, also called push bombing, attacks the human rather than the protocol. The attacker already has a valid password (often bought from an info-stealer or harvested earlier) and simply triggers login attempts repeatedly. Each attempt sends a push notification to the victim's phone: approve or deny.

The bet is psychological. After a dozen prompts at an inconvenient hour, many people approve one just to make the buzzing stop, or assume IT is doing maintenance. Some attackers add pressure with a call or message impersonating the help desk, telling the user to 'accept the prompt to resolve the issue' - a blend of vishing and MFA fatigue. The defence is partly technical (number matching, which forces the user to type a code shown on screen rather than tap blindly) and partly cultural: make it normal to deny unexpected prompts and report them.

Browser-in-the-browser: fake popups inside a real page

Browser-in-the-browser (BitB) exploits a habit everyone has: trusting the 'Sign in with Microsoft' or 'Sign in with Google' popup. When you click such a single sign-on (SSO) button, a small secondary window normally opens. BitB fakes that window entirely using ordinary web page elements - a fabricated title bar, a convincing address bar showing the legitimate domain, and the familiar styling.

Because the fake window is drawn inside the malicious page, the address bar text is just a picture the attacker controls; it can read 'login.microsoftonline.com' while everything you type goes to them. The tell is behavioural: a real popup is a separate operating-system window you can drag outside the parent page. A fake one is trapped inside it. Teaching users to drag the SSO window - and to reach login pages through bookmarks rather than links - neutralises much of this technique.

• The 'popup' cannot be dragged outside the main browser window.
• The window's controls feel slightly off, or buttons do nothing.
• The page asks you to re-authenticate at an unusual moment or in an unexpected context.

OAuth consent phishing: stealing access without stealing a password

OAuth consent phishing sidesteps passwords entirely. Instead of asking for credentials, the attacker invites the user to grant a malicious application permissions - to read email, files or the calendar, for example - through the legitimate consent screen of Microsoft 365 or Google Workspace. The user clicks 'Accept' on a real, properly branded permission dialog.

The result is persistent, token-based access. Because no password was stolen, resetting the password does not revoke it; the malicious app keeps its granted access until an administrator explicitly removes consent. This makes OAuth consent phishing especially valuable for quiet, long-term access and is a common foundation for business email compromise. Defenders counter it by restricting which apps users can consent to, requiring admin approval for risky permissions, and regularly reviewing granted application permissions in the tenant.

Quishing: phishing through QR codes

Quishing replaces the clickable link with a QR code, often embedded in an image or PDF attachment. The appeal to attackers is twofold. First, a QR code is just a picture to most email security tools, so it can slip past link scanners that would have flagged a malicious URL. Second, scanning it moves the victim onto a personal phone - typically outside corporate filtering, endpoint protection and management.

Common European lures wrap the code in a plausible request: a 'mandatory' MFA re-enrolment, a shared document, a parcel notice from a courier or postal service, or an HR form. Once scanned, the destination is an ordinary phishing or AiTM page. Because the action happens on a phone, the usual desktop warning signs are missing. Encourage staff to treat unexpected QR codes in email and print with the same suspicion as any link, and to verify requests through a known channel before scanning.

ClickFix: tricking users into compromising themselves

ClickFix is a fast-growing technique that turns the victim into the delivery mechanism. The lure presents a fake error message, a bogus 'verify you are human' check, or a 'document failed to load - here is the fix' prompt. The instructions then walk the user through copying some text and pasting it into a system dialog such as the Windows Run box or a terminal, framed as a harmless troubleshooting step.

What the user pastes is actually a command that downloads and runs malware. Because the victim performs the action manually, it bypasses many automated protections - there is no malicious attachment to scan and no obvious download to block. ClickFix is effective precisely because it borrows the language of routine IT support. The core defensive message is simple and memorable: legitimate websites and error messages never ask you to copy and paste commands into Run, PowerShell or a terminal.

How to defend against modern phishing

Modern phishing techniques defeat single controls, so defence has to be layered across identity, configuration and people. The most decisive technical move is phishing-resistant authentication.

Harden identity

• Deploy passkeys / FIDO2 for the accounts that matter most. Because they are cryptographically bound to the legitimate website, the credential cannot be replayed on an AiTM proxy or a browser-in-the-browser popup - this is the strongest answer to credential and session phishing.
• Where push MFA remains, enable number matching to blunt MFA fatigue.
• Use conditional access policies - restrict logins by device compliance, location or risk so a stolen session token is harder to reuse.
• Restrict OAuth app consent and require admin approval for sensitive permissions; review granted consents regularly.

Strengthen email and configuration

• Enforce SPF, DKIM and DMARC (with a quarantine or reject policy) to curb domain spoofing.
• Scan attachments and images for embedded QR codes, and treat external SSO and login prompts with care.
• Shorten session lifetimes and revoke tokens promptly when risk is detected.

Invest in people

Employees are the solution, not the problem - but only if they have seen these techniques before they meet them for real. Awareness of AiTM, push bombing, BitB, quishing and ClickFix turns a moment of doubt into a report rather than a click. Realistic, localised phishing simulations paired with in-the-moment micro-training - using platforms such as PhishGun - build measurable resilience over time and provide audit-ready evidence for frameworks like NIS2 and DORA. For the full programme view, see our guidance on how to prevent phishing; for targeted threats, our article on spear phishing and BEC goes deeper.