Why 2FA Doesn't Stop Business Email Compromise

You've enabled two-factor authentication (2FA) on all your business accounts. Your employees get a code texted to their phone or use an authenticator app. You're protected from account compromises, right?

Not quite.

Traditional 2FA is better than passwords alone, but it's not phishing-resistant. Attackers have adapted, and business email compromise still happens even when 2FA is enabled.

How Traditional 2FA Works

Standard 2FA adds a second verification step after entering your password. This usually comes in three forms:

• SMS codes sent to your phone. You enter your password, receive a text with a six-digit code, enter that code, and you're in.
• Authenticator apps like Microsoft Authenticator, Google Authenticator, or Authy. They generate time-based codes that change every 30 seconds.
• Push notifications. You enter your password, get a notification on your phone asking "Is this you?", tap yes, and you're authenticated.

All three methods are significantly better than passwords alone. If someone steals your password, they still can't access your account without the second factor.

The problem is that all three can be phished.

How Attackers Bypass Traditional 2FA

Fake Login Pages

The most common attack uses fake Microsoft or Google login pages that look identical to the real thing. These aren't amateur efforts with obvious spelling mistakes and broken layouts. Modern phishing kits create pixel-perfect replicas of legitimate login pages.

The attacker registers a domain like microsoftonline-secure.com or accounts-google-verification.com. They copy the exact HTML, CSS, and JavaScript from the real login page. The page looks right, the URL seems plausible at a glance, and if they've set up an SSL certificate (which is free and takes minutes), you even see the padlock in your browser.

You enter your username and password. The page looks exactly like the real Microsoft 365 or Google Workspace login. Behind the scenes, the attacker's system captures your credentials and immediately attempts to log into the real service.

Real-Time Phishing Attacks

An attacker sends a phishing email with a link to their fake login page. You enter your username and password. Instead of just stealing those credentials, the attacker's system immediately uses them to log into the real service.

The real service sends a 2FA code to your phone. You receive it, thinking it's legitimate because you just tried to log in (to what you thought was the real site). You enter the code on the fake page.

The attacker's automated system takes that code and enters it on the real login page. They're now logged into your account, using your credentials and your 2FA code, all within the 30-second window before the code expires.

This happens in seconds. The entire process is automated. You think you logged in normally. The attacker is already in your account.

Adversary-in-the-Middle (AitM) Attacks

More sophisticated attackers use proxy servers that sit between you and the real login page. When you access the fake site, it's actually loading the real login page through the attacker's proxy.

You see the legitimate login page (because it is the legitimate page, just proxied). You enter your credentials and 2FA code. The proxy passes everything through to the real service and captures your session cookie.

Session cookies are what keep you logged in after authentication. With your session cookie, the attacker doesn't need your password or 2FA code anymore. They can access your account using the active session.

This works against SMS codes, authenticator apps, and push notifications. All of them.

Push Notification Fatigue

If an attacker has your password, they can trigger multiple login attempts. Each attempt sends a push notification to your phone.

Attackers spam these notifications. 10, 20, 50 push requests in a row. Eventually, you get annoyed and tap "yes" just to make them stop. Or you assume it's a glitch and approve one thinking it's your own login attempt.

The attacker gets in.

Microsoft reported seeing this attack method used successfully against multiple organizations in 2023. It works because it exploits human behavior, not technical vulnerabilities.

Business Email Compromise with 2FA Enabled

I've worked with clients who had 2FA enabled on all Microsoft 365 accounts and still experienced business email compromise. Here's how it happens:

Employee receives a phishing email impersonating Microsoft, Google, or an internal IT notification. "Your password is expiring. Click here to update it."

Employee clicks the link, enters credentials on the fake page, receives a 2FA code, enters it. Attacker now has access.

The attacker doesn't immediately send suspicious emails or make obvious changes. They watch. They read the compromised account's email for days or weeks. They learn communication patterns, business processes, who approves payments, who requests information.

Then they act. An email goes out from the legitimate, compromised account to the finance team: "Need this wire transfer processed today for the new vendor. Here are the account details."

The email comes from a real account with valid 2FA protection. It looks completely legitimate because it is legitimate from a technical standpoint. The only problem is someone else is controlling it.

What Actually Stops These Attacks

The solution isn't better 2FA (though phishing-resistant authentication exists). The solution is preventing the phishing email from reaching the inbox in the first place.

Advanced email security solutions like Ironscales include BEC protection that goes beyond traditional spam filtering. These systems analyze behavioral patterns and catch compromised accounts even when the email itself appears completely legitimate.

When an account is compromised and starts sending emails, Ironscales detects anomalies like unusual sending times, messages to recipients the account hasn't contacted before, requests that deviate from normal communication patterns, and language that doesn't match the user's typical style.

Traditional email protection from Microsoft or Google can't catch this because technically there's nothing wrong – it's a real account sending real email with valid authentication. But behavioral analysis identifies that something is off about how the account is being used.

This is the same protection that catches compromised vendor emails. The sender is legitimate and trusted, but the content and behavior indicate compromise.

Why Traditional 2FA Still Matters

Even though traditional 2FA isn't phishing-resistant, it's still better than nothing. It blocks:

• Credential stuffing attacks where attackers use stolen passwords from data breaches
• Brute force attacks trying to guess passwords
• Unauthorized access from lost or stolen passwords
• Most opportunistic attackers who aren't using sophisticated phishing infrastructure

The problem is that it doesn't protect against targeted attacks. If someone is specifically phishing your organization, traditional 2FA won't stop them.

What Businesses Should Do

• Deploy email security with BEC protection. Solutions like Ironscales detect compromised accounts and catch phishing emails before they reach inboxes. The goal is to prevent the phishing attempt entirely, not just limit the damage after someone falls for it.
• Keep traditional 2FA enabled. Even though it's not phishing-resistant, it still blocks credential stuffing, brute force attacks, and most opportunistic attackers.
• Monitor for account compromise indicators. Unusual login locations, after-hours access, mass email deletions, mailbox rule changes (forwarding emails elsewhere), and unexpected permission changes all suggest compromise.
• Train employees on phishing recognition. Technology helps, but users need to know what phishing looks like and how to report it.
• Have an incident response plan. When an account is compromised, you need to know immediately what to do. Reset credentials, revoke active sessions, check for mailbox rules, review sent items, notify affected parties.

Real-World Example

Client came to me after their CFO's email was compromised despite having Microsoft Authenticator enabled. Attacker used a real-time phishing attack with a fake Microsoft login page. CFO entered credentials and authenticator code thinking it was the legitimate Microsoft 365 login. Attacker was in the account within seconds.

The attacker spent three days reading emails, learning vendor relationships and payment processes. Then sent an email to accounts payable requesting a $43,000 wire transfer to update a vendor's banking information.

AP almost processed it. The only reason they didn't was because they happened to call the vendor directly to confirm. Vendor had no idea what they were talking about.

We deployed Ironscales for email security with BEC protection. The behavioral analysis would have flagged the unusual payment request from the compromised account.

No successful compromises since.

The Bottom Line

Two-factor authentication is necessary but not sufficient. Traditional 2FA (SMS codes, authenticator apps, push notifications) can be phished using fake login pages that look identical to Microsoft or Google. Attackers have automated systems specifically designed to bypass it.

Business email compromise happens even with 2FA enabled because compromising accounts is easier than you think, and once attackers are in, 2FA doesn't protect against what they do next.

The real protection comes from email security solutions with BEC detection that prevent phishing emails from reaching inboxes and identify compromised accounts based on behavioral analysis. Combined with employee training and monitoring, you get defense in depth that addresses both the attack vector and the vulnerability.

If you're running a business on Microsoft 365 or Google Workspace and relying solely on authenticator apps or SMS codes without additional email security, you're leaving a gap that attackers know how to exploit.