MFA bombing has become a high-stakes threat capable of crippling operations and draining corporate finances. Michael Downs highlights how attackers manipulate multi-factor authentication to bypass security, as seen in the JLR and M&S incidents. Strengthening MFA with adaptive and phishing-resistant methods can prevent catastrophic losses and protect shareholder value.
Cyber attacks are no longer a challenge isolated to security departments. Today, they are among the biggest threats to modern organisations, capable of wreaking havoc through major operational disruptions and astronomical costs.
The attack suffered by Marks & Spencer in April 2025 is a case in point. The retailer has experienced a major dip in profits, with the hack having cost it an estimated £324 million in losses. Yet it is not the only company that has seen major financial hardship as a result of digital threats in recent times.
In September 2025, Jaguar Land Rover (JLR) also became embroiled in a major cybersecurity saga that saw manufacturing halted across several of the automaker’s plants, both in the UK and overseas. It’s estimated that JLR lost up to £50 million per week during the shutdown. What’s more, the impact on the wider JLR supply chain is said to have cost the UK economy as much as £1.9 billion.
Such astronomical sums can leave lasting impacts on even the biggest companies, and that’s before we mention the brand damages, regulatory fines and ongoing disruption that follow. Without question, cybercrime has become an existential threat for companies – operationally, financially, and reputationally.
It is, therefore, imperative that firms protect themselves properly. Cybersecurity investments can be a mere drop in the ocean compared to the potential costs that can evolve from cyber attacks. However, many gaps continue to exist in cyber strategies that can and should be bridged.
Threat actors are manipulating multi-factor authentication
If recent headlines are anything to go by, then firms need to prioritise bolstering their multi-factor authentication (MFA) practices as a priority.
In the case of the JLR attack, the primary technique used by the threat actors involved was MFA bombing and help desk impersonation. Interestingly, the same can be said of the M&S attack, with both incidents having been linked to the infamous Scattered Spider hacking group.
According to CISA and other official bodies, Scattered Spider is widely recognised for social engineering tactics, underscoring the persistent threat they pose.
Specifically, MFA bombing sees attackers focusing not on technical issues but on attempting to exploit and manipulate the individuals into approving or denying MFA requests.
First, they acquire the usernames and passwords of user accounts through phishing or buying leaked credentials on the dark web. They are then able to use automated tools to trigger a flood of MFA approval requests. That barrage of notifications can quickly leave users frustrated or irritated, making them more likely to approve a fraudulent request to stop the barrage of prompts.
Best practices for stemming the MFA bombing threat
MFA continues to be an essential method of authenticating users; however, attackers use social engineering tactics to bypass it and manipulate user decisions, creating urgency and pressuring users into taking immediate action. These attacks are time-sensitive and might be difficult to spot in the moment.
Operationally and financially, companies simply cannot take the risk, as a single breach could cost hundreds of millions in ransom payments, regulatory fines or lost profits. However, many are still leaving the front door unlocked. Businesses are lagging on multi-factor authentication. The 2025 UK Cyber Security Breaches Survey found that only 40% of businesses have rolled out two-factor authentication (2FA), for example.
This needs to change. Given the threats, companies of all shapes and sizes should be looking to embrace MFA best practices to stem the MFA bombing threat. As well as employing good password hygiene, such as regular resets, educating users on the importance of rejecting suspicious login requests and reporting unexpected prompts to IT departments, firms can implement a range of additional controls to help bolster their MFA security.
Adaptive MFA, for example, is an advanced approach to MFA that uses context-based access control, analysing additional factors about a login attempt. This can include the location of login attempts; the device, operating system and browser used; and the user’s typical behaviour, for example, the time the user usually takes to authenticate.
Embracing phishing-resistant MFA
On top of adaptive MFA, companies should also embrace phishing-resistant MFA practices. These are advanced security methods that use cryptography to prevent attackers from stealing or intercepting your login credentials, even if they trick you into entering them on a fake website.
FIDO2 passkeys, for example, use unique, cryptographic key pairs, with the private key staying on your device and the public key registered with a specific service. Similarly, certificate-based authentication installs a digital certificate directly on your device, which is, in turn, presented to the service to provide its identity cryptographically. As the private key never leaves your secure device, the risk of credential theft is significantly reduced.
FIDO2 uses public key cryptography with cryptographic origin binding, meaning every authentication is cryptographically tied to the specific domain where it was created. An attacker cannot relay or reuse FIDO2 credentials because they are cryptographically bound to specific domains. So even if a user is tricked into attempting to log into a fake phishing site (e.g., yourbank.com vs your-bank.com), then the cryptographic check will fail automatically, and the credentials cannot be used.
These added layers of protection can help users, systems and customer data to be more effectively safeguarded by MFA controls, which in turn can become a strategic enabler, reinforcing brand trust and supporting shareholder value.
Given the recent success of threat actors using MFA bombing against major corporations, implementing phishing-resistant MFA should be prioritised. These are changes that are quick, cost-effective business-critical shields. Companies that treat them as such will be better prepared to protect themselves from the catastrophic costs and disruptions that can escalate when falling victim to sophisticated cyber attacks.
About the Author
Michael Downs is a seasoned sales leader with over 30 years’ experience driving growth in cyber security sales, specialising multi-factor authentication (MFA), data discovery and access management. As Vice President of Global Sales at SecurEnvoy, Michael works with organisations across the UK and internationally to strengthen defences against credential theft, phishing, and unauthorised access.
