TL;DR

Attackers are no longer trying to break your MFA — they are sidestepping it entirely. In 2025 and 2026, campaigns abusing OAuth tokens, device code flows, and adversary-in-the-middle phishing kits have compromised organisations of every size. If your security stops at "we have MFA enabled," you are defending the wrong layer. Here is what happened, how it works, and what Australian SMBs can do right now.​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

The Attacks That Changed the Rules

Three incidents from the past 18 months demonstrate how identity-layer attacks have evolved well beyond password guessing.

Storm-2372 / EvilTokens device code phishing (2025-2026). Microsoft's Defender Research team documented a campaign that weaponised the OAuth device code flow — the same mechanism your smart TV uses to sign into streaming services. Attackers spun up thousands of short-lived backend nodes on platforms like Railway.com to generate device codes dynamically, the moment a victim clicked a phishing link. This defeated the standard 15-minute code expiry window. AI-generated phishing emails, tailored to roles such as finance managers and executives, carried lures styled as invoices, RFPs, and voicemail noti

fications. Victims entered a code at the real microsoft.com/devicelogin page and unknowingly handed the attacker a valid session token. MFA was satisfied — for the attacker's session.​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​

Salesloft / Drift OAuth token theft (2025). Attackers did not phish a single user. Instead, they compromised OAuth tokens linking the Salesloft platform to Salesforce via a Drift chatbot integration. Because OAuth tokens sit between applications — not between users and applications — no login screen was involved, and no MFA challenge was triggered. The stolen tokens quietly unlocked hundreds of Salesforce tenants. Google's Threat Intelligence Group later confirmed the attackers also used the same tokens to access Google Workspace email through connected integrations. This was lateral movement through trust chains most organisations do not even know exist.

AiTM phishing via EvilGinx and Tycoon 2FA kits (ongoing). Phishing-as-a-service toolkits such as EvilGinx3, EvilProxy, and Tycoon 2FA let low-skill operators run adversary-in-the-middle attacks at scale. A victim clicks a link, sees what looks like the real Microsoft 365 login, enters credentials, completes an MFA prompt — and the proxy captures the resulting session cookie. The attacker pastes that cookie into their own browser and is in. MFA technically succeeded; the attacker simply stole the result. Cisco Talos reported that half of their 2025 incident responses involved some form of MFA bypass.

How the Bypasses Work

The common thread across all three attacks is session-level compromise after authentication. Here is the trust-chain failure in plain terms:

  1. Device code abuse — The attacker initiates a legitimate OAuth flow and hands the victim a code to approve. The victim authenticates with MFA. The resulting token belongs to the attacker's session, not the victim's device.
  2. OAuth token theft — An integration token between two SaaS apps is compromised. These tokens often never expire and are not subject to MFA because they represent app-to-app trust, not user-to-app trust.
  3. AiTM session hijacking — A reverse proxy relays the login in real time, captures the session cookie, and the attacker replays it. No credential reuse, no brute force, no MFA defeat — just theft of the authenticated session.

In every case, the login logs show success. The MFA logs show success. The IP address looks normal. There is no password reset, no failed attempt, no alert. That is what makes these attacks so dangerous for SMBs with limited detection capability.

Three Defences Australian SMBs Can Deploy Now

1. Tighten help-desk and admin verification protocols. Scattered Spider's attacks on MGM and Caesars proved that a convincing phone call to the IT help desk can reset MFA for an attacker. Require a callback to the employee's registered number, a manager approval, or a secondary verification channel before resetting credentials or disabling MFA. Document the procedure and audit it quarterly.

2. Enable number matching and context-aware MFA. In Microsoft Entra ID, turn on number matching for Authenticator push notifications. This forces the user to type the number shown on screen into their phone, preventing blind-push approval. Pair this with conditional access policies that require compliant devices and flag impossible-travel or unusual-location sign-ins. If your MFA provider supports it, bind session tokens to the originating device so a stolen cookie cannot be replayed on a different machine.

3. Audit OAuth integrations and monitor admin activity. Inventory every third-party application connected to your Microsoft 365, Google Workspace, Salesforce, or CRM tenant. Remove unused integrations. Restrict user consent so only administrators can approve new OAuth applications. Set up alerts for new inbox rules (a common persistence tactic), changes to forwarding addresses, and OAuth app consent grants. Review these alerts weekly — not quarterly.

FAQ

Is MFA still worth enabling? Yes. MFA blocks the majority of automated credential-stuffing and password-spray attacks. The problem is not that MFA is broken — it is that MFA alone stops too early. Pair it with post-authentication controls like session monitoring and conditional access.

We are a 20-person business. Are we really a target? Absolutely. AiTM phishing kits are sold as services for under $100 a month. Attackers cast wide nets. Australian SMBs using Microsoft 365 or Google Workspace are prime targets because the platforms are ubiquitous and the attack paths are well-documented.

What should I ask my IT provider right now? Ask three questions: How do we detect session hijacking today? Can we revoke OAuth tokens immediately if an integration is compromised? Do we monitor authenticated behaviour — not just logins? If the answers are vague, you have a gap.

Conclusion

The identity layer is the new perimeter, and attackers have figured out how to walk right through it while your MFA holds the door open. Device code phishing, OAuth token abuse, and AiTM session theft are not theoretical — they are operational right now, targeting organisations of every size across Australia.

The good news is that practical defences exist and can be deployed in days, not months. Start with number matching, audit your OAuth integrations, and demand post-login monitoring from your IT team or provider.

Visit consult.lil.business for a free cybersecurity assessment — we will check your identity controls, integration exposure, and MFA configuration against the threats that matter in 2026.

References

  1. Microsoft Security Blog, "Inside an AI-enabled device code phishing campaign," April 2026. https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
  2. Grip Security, "Inside the Salesloft Breach: A New Era of Salesforce Attacks," August 2025. https://www.grip.security/blog/salesloft-breach-oauth-salesforce-attacks
  3. Australian Cyber Security Centre, "Joint advisory on MFA bypass techniques," 2025. https://www.cyber.gov.au/threats

TL;DR

  • Two-thirds of hackers steal passwords instead of breaking into computers
  • Once they have a password, they can reach your most important files in just a few hours
  • Multi-factor authentication (MFA) stops most of these attacks cold
  • You can fix this with 5 simple steps that cost nothing but time

The Real Problem: Your Keys, Not Your Locks

Imagine you come home and find your front door unlocked. You didn't leave it that way — someone used your keys. The lock worked fine. The problem was that someone had your key.

That's what's happening to businesses right now.

A new report from Sophos, a company that fights hackers, found that 67 out of every 100 cyberattacks start with a stolen password [1]. Hackers aren't breaking down doors. They're walking right in using keys they stole, bought, or tricked people into giving them.

This matters because stealing a password is much easier than hacking a computer system.

What Happens After They Steal a Password

Here's what typically happens:

  1. They get a password: This might be from tricking someone with a fake email, buying stolen passwords online, or guessing weak passwords
  2. They log in normally: No alarms go off because they're using a real password
  3. They look around: They check what files they can access, what computers are connected, and who has admin rights
  4. They move deeper: They try to get into more important accounts, often within just a few hours
  5. They strike: They steal your files or lock everything with ransomware

The scariest part? Sophos found that hackers can reach the most important parts of a business computer system within hours of getting in [1].

Why They Work Nights and Weekends

Think about when your office is empty. Nights. Weekends. Holidays.

Hackers know this too. The Sophos report found that most ransomware attacks happen when businesses are closed [1].

Why?

  • Fewer people watching for problems
  • Slower response times
  • More time to work without getting caught

If a hacker gets in on Friday evening, they have all weekend to cause damage before anyone notices on Monday morning.

The Missing Protection: MFA

Remember that 67% of attacks start with stolen passwords. Here's the thing that would stop most of them: Multi-Factor Authentication (MFA).

MFA means needing two things to log in:

  • Something you know (your password)
  • Something you have (your phone, a security key, or your fingerprint)

Sophos found that 59 out of 100 businesses that got hacked didn't have MFA turned on [1].

Without MFA, stealing a password is like having a key to your house. With MFA, it's like having a key AND needing your fingerprint to open the door. Even if a hacker has your password, they can't get in without the second thing.

The 5 Things You Should Do Right Now

You don't need to be a computer expert to protect your business. Here are five practical steps:

1. Turn on MFA Everywhere

Every account that offers MFA should have it turned on. Email, banking, cloud storage — everything.

The best option: Use a security key (a small USB device you tap to log in). Even hackers can't fake physical possession.

Good option: Use an authenticator app on your phone (like Google Authenticator or Microsoft Authenticator). These generate codes that change every 30 seconds.

Okay option: SMS codes to your phone. Better than nothing, but hackers can sometimes intercept these.

2. Check Who Has Access

Not everyone needs access to everything. This is called "least privilege."

Ask yourself:

  • Does every employee need access from anywhere?
  • Do you really have 5 admins, or could you have just 1 or 2?
  • Can you turn off access you're not using?

The fewer doors into your business, the fewer chances for hackers.

3. Update Your Edge Devices

"Edge devices" are the things that connect your business to the outside world: your router, your firewall, your VPN.

These are front-door locks. When the companies that make them find problems, they release updates. Hackers are very quick to attack businesses that don't update.

Make a rule: Update critical security devices within one week of a security update being released.

4. Get Help Watching While You Sleep

If hackers work nights and weekends, you need someone watching then too.

For most small businesses, hiring a 24/7 security team isn't realistic. But you can hire a Managed Detection and Response (MDR) service. They watch your systems around the clock and alert you immediately if something looks wrong.

Think of it like a security monitoring service for your business.

5. Keep Records

You can't stop an attack you don't know about.

Sophos found that many businesses weren't keeping logs — records of who logged in, when, and from where [1]. Without logs, you can't see what happened after an attack.

What to keep:

  • Login records for at least 6-12 months
  • Firewall logs for 3-6 months
  • Any changes to user accounts or permissions

Store these somewhere secure. If a hacker gets in, they'll try to delete these logs to hide their tracks.

Why This Matters Now

The Sophos report isn't theory. It's based on investigating hundreds of real businesses that got hacked in 2025 [1].

These businesses thought it wouldn't happen to them. They were wrong.

The good news is that protecting your business doesn't require expensive tools or security experts. It requires:

  • MFA turned on
  • Careful access control
  • Regular updates
  • Someone watching for problems
  • Good record-keeping

These are practical steps you can take this week.

A Simple Analogy: Your House vs. Your Business

Imagine your house has:

  • One front door with a deadbolt
  • Windows that lock
  • Maybe a back door
  • Keys that only a few trusted people have

Your business computer system is similar, but with one big difference: hackers can try your front door from anywhere in the world, thousands of times per second, without you ever seeing them.

That's why MFA is so important. It's like having a lock that needs your key AND your fingerprint. Even if someone copies your key, they can't get in.

What This Costs

The five steps above:

  1. MFA: Free (most services include it)
  2. Access review: Free (just your time)
  3. Updates: Free (just your time)
  4. Monitoring service: $100-500/month for most small businesses
  5. Log storage: Free to low cost depending on your setup

Compare that to the cost of a ransomware attack: an average of $4.88 million globally in 2025 [7].

The question isn't whether you can afford to protect your business. It's whether you can afford not to.

FAQ

MFA does add a few seconds to every login. But compare that to the days or weeks of downtime from a ransomware attack. Frame it as protecting their jobs and the business they depend on. Modern MFA options (like phone apps or security keys) are much faster than they used to be. Many people find that after a week, they don't even notice it anymore.

They can try, but it's much harder. Some advanced attacks can bypass SMS codes, but phishing-resistant MFA (like security keys) is extremely difficult to defeat. The goal isn't perfection — it's making attacks so difficult that hackers move on to easier targets. Most criminals, like most burglars, look for unlocked doors, not unpickable locks.

If your business has employees working remotely, you almost certainly have edge devices. These include: VPN servers (for remote access), routers (the devices that direct internet traffic), firewalls (security gateways), and remote access tools like TeamViewer or Splashtop. Check the manufacturer's website for security updates, or ask your IT provider to do this for you.

Not every business needs continuous monitoring. At minimum, ensure that critical alerts (failed admin logins, new user accounts created, access from unusual locations) send you an immediate notification, day or night. For many small businesses, this middle ground provides significant protection without the cost of full MDR services.

Use this analogy: "We're spending money on locks, but leaving keys under the mat. Hackers aren't picking locks — they're finding the keys we left out. MFA is like requiring both a key and a fingerprint. It's simple, it's cheap, and it stops most break-ins before they start." Focus on the business risk (downtime, lost revenue, reputational damage) rather than technical details.

References

[1] Sophos, "Active Adversary Report 2026," Sophos, 2026. [Online]. Available: https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report

[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[8] Australian Cyber Security Centre, "Essential Eight Maturity Model," ACSC, 2024. [Online]. Available: https://www.cyber.gov.au/sites/default/files/2024-06/ESSENTIAL-EIGHT-IMPLEMENTATION-GUIDE.pdf

[11] National Cyber Security Centre, "Password Guidance for Organisations," NCSC, 2024. [Online]. Available: https://www.ncsc.gov.uk/collection/passwords/password-guidance-for-organisations

[12] CISA, "Multi-Factor Authentication," Cybersecurity and Infrastructure Security Agency, 2024. [Online]. Available: https://www.cisa.gov/news-events/news/secure-our-world/multi-factor-authentication

[13] Google, "Security Keys: The Strongest Form of 2FA," Google, 2024. [Online]. Available: https://landing.google.com/advancedprotection/

Identity security doesn't have to be complicated or expensive. lilMONSTER helps small businesses protect what they've built with practical, jargon-free cybersecurity. Get in touch for a free consultation — we'll explain everything in plain English.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation