TL;DR
Major identity breaches disclosed by Microsoft and Vercel in April 2026 prove that attackers are not cracking MFA; they are bypassing it entirely by stealing OAuth tokens, abusing device-code flows, and weaponising supply-chain trust. Australian SMBs must move beyond basic MFA and start monitoring sessions, auditing third-party app permissions, and hardening help-desk verification.
The Tactic Shift: From Cracking Passwords to Stealing Sessions
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Multi-factor authentication has long been treated as the finish line for identity security. But the breaches of 2025 and 2026 show a clear shift: attackers no longer waste effort brute-forcing passwords when they can simply hijack the session that MFA already approved. Two high-profile incidents from April 2026 demonstrate how trust chains—not passwords—are the new target.
Case Study 1: Microsoft EvilTokens and AI-Enabled Device Code Phishing
In April 2026, Microsoft’s security research team disclosed a widespread phishing campaign that weaponised the legitimate OAuth device-code authentication flow
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →Generative AI produced hyper-personalised lures—invoices, RFPs, and manufacturing workflows—tailored to each victim’s role. When the user entered the code on a legitimate Microsoft login page, they unknowingly authorised the attacker’s session. Because the authentication was decoupled from the victim’s original device, MFA was satisfied without binding to the user’s real context. Post-compromise, attackers abused Microsoft Graph API to map organisational permissions and created malicious inbox rules for persistence.
This campaign marks an evolution of the phishing-kit tradecraft pioneered by EvilProxy and Tycoon, automated end-to-end and scaled with AI.
Case Study 2: The Vercel OAuth Supply Chain Cascade
On 19 April 2026, Vercel confirmed that attackers had breached its internal systems via a compromised third-party AI service, Context.ai. A Lumma Stealer malware infection at Context.ai exfiltrated Google Workspace OAuth tokens for a Vercel employee. OAuth tokens do not require a password and often survive password rotations.
Using the stolen token, the attacker accessed the employee’s Google Workspace account, pivoted into Vercel’s internal environment, and read environment variables that were not explicitly classified as "sensitive." While encrypted secrets remained protected, the incident exposed enough metadata to enable lateral movement. Vercel CEO Guillermo Rauch publicly assessed the attacker’s velocity as "very likely significantly accelerated by AI."
This is the same trust-chain collapse seen in earlier incidents like the Storm-0558 Microsoft key compromise and the Okta customer support breaches: when a trusted intermediary is compromised, MFA cannot defend against an attacker riding legitimate, pre-approved tokens.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The Common Thread: MFA Bypass via Trust Abuse
Whether through Scattered Spider-style help-desk social engineering, stolen OAuth tokens, or automated device-code abuse, the pattern is identical. Attackers are not defeating MFA; they are defeating the trust assumptions around it. MFA validates identity at the point of login. It does not protect against stolen sessions, over-permissive OAuth grants, or a help-desk operator tricked into resetting an executive’s credentials.
Three SMB-Scale Defences
You do not need an enterprise SOC to close these gaps. Implement these controls this week:
1. Help-Desk Verification Protocols Eliminate single-channel password or MFA resets. Every identity-related request must be verified out-of-band—via a pre-registered manager mobile number, video call, or in-person confirmation. Treat "I lost my MFA" phone calls with extreme scepticism; pre-texting is the primary tactic of groups like Scattered Spider.
2. Number Matching and Phishing-Resistant MFA Replace simple push-notification approvals with number matching, or better yet, FIDO2 passkeys. Number matching forces the user to enter a code from the login screen into their authenticator app, preventing blind approvals of attacker-initiated flows. Passkeys bind credentials to the origin, rendering token theft and replay attacks useless.
3. Session Token Protection and Admin Activity Alerting Audit OAuth grants quarterly. Revoke any third-party app with broad, unused permissions to email, files, or admin consoles. Set conditional access policies to terminate sessions from impossible locations or non-compliant devices. Alert on Graph API reconnaissance, mass inbox-rule creation, and non-standard IP ranges accessing admin portals. Tokens should be short-lived; if your provider does not support automatic expiration, enforce manual rotation every ninety days.
FAQ
If we have MFA, how did these attacks still succeed? The attackers bypassed MFA rather than breaking it. By stealing OAuth tokens, tricking users into device-code flows, or socially engineering help desks, they obtained sessions that had already passed authentication. The login was legitimate; the session simply belonged to the attacker.
Are Australian SMBs actually targets for this level of sophistication? Yes. Phishing-as-a-Service kits like EvilTokens and EvilProxy have commoditised these tactics. Criminals purchase subscriptions and target businesses indiscriminately. SMBs are preferred because they often hold valuable financial and customer data without dedicated security teams to monitor abuse.
What is number matching, and do we need it? Number matching is an MFA method where your login screen displays a two-digit number you must enter into your authenticator app to approve the sign-in. It prevents "MFA fatigue" attacks where users reflexively tap "Approve." If you use Microsoft Authenticator or similar enterprise tools, enable it immediately.
How do we audit our OAuth apps and third-party integrations? Export a list of all apps connected to Google Workspace, Microsoft 365, or your identity provider. Review their access scopes: does a calendar plugin need access to all emails? If an app has not been used in ninety days, revoke it. Treat every dormant OAuth grant as an exposed credential.
Conclusion
The identity perimeter is no longer at the password field. It is inside the OAuth grant, inside the session token, and inside the help-desk call log. The breaches of April 2026 demonstrate that MFA alone is insufficient when AI-enhanced attackers abuse trust chains. Australian SMBs must adopt phishing-resistant authentication, aggressive session monitoring, and zero-trust OAuth hygiene before their names appear in the next headline.
Book a free cybersecurity assessment today: Visit consult.lil.business for a free cybersecurity assessment.
References
- Microsoft Security Blog. "Inside an AI-enabled device code phishing campaign." (2026). https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
- Trend Micro Research. "The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables." (2026). https://www.trendmicro.com/en_us/research/26/d/vercel-breach-oauth-supply-chain.html
- Australian Cyber Security Centre (ACSC). "Multi-factor authentication." https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/mfa
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →ELI10: Hackers Are Logging In, Not Breaking In
Explained Like You're 10 — by lilMONSTER at lil.business
Imagine your business office has a special entry card system. Every employee gets a card that unlocks the door. It's secure — or so you think.
Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. They look like a normal person. They walk to the filing cabinet. They copy everything. And they're gone in an hour.
That is how 90% of major cyberattacks work in 2026.
Not Hollywood hacking — just someone with your employee's password, walking right in.
The Speed Problem
A new security report released this week — by a company called Palo Alto Networks, which investigated over 750 major cyberattacks around the world — found something alarming: attackers now move from "got in" to "stole everything" in as little as 72 minutes.
That's four times faster than the year before.
The reason? AI tools. Attackers are using AI to automatically find weaknesses, craft convincing messages, and move through computer systems faster than any human could on their own.
By the time most businesses even realise something is wrong, the attacker is already done.
How Do Attackers Get Your Passwords?
You don't have to do anything obviously wrong. Here's how it happens all the time:
- Fake login page. An employee gets an email that looks like it's from Microsoft, Google, or their bank. They click the link and type in their password — but the page is fake. Password stolen.
- Old breach. Your employee uses the same password on five different services. One of those services got hacked years ago. Attackers try that password on your systems. It works.
- Sneaky software. Someone downloads something dodgy. It quietly records every password they type and sends it to the attacker.
None of this requires the attacker to be a genius. With AI, even someone with no technical skills can run these attacks automatically at massive scale.
The Fix: A Second Lock on the Door
The single most effective thing your business can do right now costs almost nothing: turn on MFA (Multi-Factor Authentication).
MFA is like adding a second lock to your door. Even if someone has your password (the key), they also need your phone (the second lock) to get in. Microsoft found that MFA blocks 99.9% of automated password attacks.
Turn it on for:
- Business email (Gmail, Outlook)
- Cloud storage (Google Drive, Dropbox, OneDrive)
- Banking and finance apps
- Any remote access tools
- Social media accounts
Most apps have a "Security" or "Two-Factor Authentication" setting. Enable it everywhere. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) — not just SMS, which is slightly less secure.
The Second Fix: Give People Only What They Need
The report found that once attackers get in, they often roam freely because employees have more access than they actually need.
Ask your IT person: does every staff member only have access to the things they need for their job? Your junior receptionist probably doesn't need admin access to the server. Your salesperson probably doesn't need access to payroll files.
This is called the "principle of least privilege" — and it limits how far an attacker can go even if they do get in.
The Third Fix: Have a Plan
The attackers are fast. You need to be faster — and that means thinking about it before something goes wrong.
Three questions to answer today:
- If someone's email account gets hacked, who do we call?
- What do we disconnect first to stop the damage spreading?
- Do we have backups of our important data, and are they recent?
Written answers to these questions — even on a single piece of paper — are worth more than any expensive software if the moment comes.
The Big Picture
You don't need to build a fortress. You need a few strong, smart habits. MFA + reviewed permissions + a response plan covers the majority of what the world's biggest security firms see failing again and again in real attacks.
lil.business helps Australian small businesses get these basics right — quickly and without the jargon. Book a free 30-minute consult and walk away with a clear list of what to do first.
TL;DR
- Explained Like You're 10 — by lilMONSTER at lil.business Imagine your business office has a special entry card syste
- Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. The
- Action required — see the post for details
FAQ
Q: What is the main security concern covered in this post? A:
Q: Who is affected by this? A:
Q: What should I do right now? A:
Q: Is there a workaround if I can't patch immediately? A:
Q: Where can I learn more? A:
References
[1] Mandiant, "M-Trends 2026: Identity-Based Attacks and AI-Accelerated Credential Theft," Google Cloud Mandiant, Reston, VA, USA, 2026. [Online]. Available: https://www.mandiant.com/resources/m-trends-2026
[2] CISA, "Identity and Access Management Best Practices Guide: Multi-Factor Authentication and Zero Trust," Cybersecurity and Infrastructure Security Agency, Washington, DC, USA, 2026. [Online]. Available: https://www.cisa.gov/resources-tools/resources/identity-and-access-management-recommended-best-practices
[3] IBM X-Force, "X-Force Threat Intelligence Index 2026: Identity as the New Perimeter — Credential Attacks in the AI Era," IBM Security, Armonk, NY, USA, 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence
[4] Verizon, "2026 Data Breach Investigations Report: Stolen Credentials and Identity-Based Intrusion Trends," Verizon Business, Basking Ridge, NJ, USA, 2026. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.