TL;DR

If you are still relying on SMS or phone-call MFA to protect your business accounts, you are operating with a false sense of security. Modern attack toolkits like Evilginx and Tycoon bypass these methods with commodity phishing kits that cost less than $300 a month. This post walks through why legacy MFA fails, which phishing-resistant alternatives to implement, and the six conditional access policies every Australian SMB should deploy in Microsoft Entra ID or Google Workspace this week.​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why Your MFA Is Already Broken

Most Australian small businesses implemented multi-factor authentication between 2020 and 2022 and considered the job done. The problem: the threat model has shifted dramatically since then, and the SMS codes or phone calls you deployed are no longer a meaningful barrier to a motivated attacker.

Three attack vectors have rendered legacy MFA obsolete:​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

SIM swapping cont

inues to plague Australian mobile carriers. An attacker socially engineers a telco support desk, ports your number to their SIM, and receives every MFA code sent to your phone. The Australian Signals Directorate (ASD) has tracked a steady increase in SIM-swap-enabled account takeovers targeting business owners specifically, because compromising the owner's account unlocks invoice fraud, payroll redirection, and bank transfer authorisation.

Adversary-in-the-middle (AitM) phishing kits have commoditised what was once a nation-state capability. Tools such as Evilginx, Tycoon 2FA, and Modlishka sit between your user and the real Microsoft or Google login page. When your employee enters their password and SMS code, the proxy captures both in real time — along with the session cookie — and replays them to the legitimate service. The attacker is now authenticated with a valid session token. The user sees no indication anything went wrong.

MFA fatigue and push bombing exploit the human in the loop. Attackers trigger repeated push notifications to a target's authenticator app until the user, frustrated or confused, taps "Approve." In 2024 a major Australian managed service provider lost control of their entire client tenant after an exhausted director approved a push notification at 11:47 PM.

The ACSC's Essential Eight maturity model explicitly calls for phishing-resistant MFA at Maturity Level 3. If your business handles sensitive client data, financial transactions, or personally identifiable information, legacy MFA is a compliance gap, not just a security gap.

Phishing-Resistant MFA: What Actually Works

The FIDO Alliance and NIST SP 800-63B define phishing-resistant authentication as methods that are cryptographically bound to the legitimate relying party — meaning a proxy cannot intercept and replay the credential. Three options are practical for SMBs today:

FIDO2 security keys (Yubikey, Feitian, Google Titan). A physical USB-A, USB-C, or NFC key that signs a cryptographic challenge tied to the specific domain being accessed. Even if an AitM proxy captures the response, it is worthless for replay against the real service because the challenge is domain-bound. Cost is roughly $50–$90 per key. Every admin account and every finance team member should have one. Two keys per person: one for daily use, one stored securely as a backup.

Passkeys (platform-native FIDO2). Stored in your device's secure enclave — Apple Touch ID, Windows Hello, or Android biometric — and synchronised across your ecosystem via iCloud Keychain or Google Password Manager. Passkeys eliminate the physical token cost and are vastly more resistant to remote phishing than any code-based method. Microsoft, Google, and most major SaaS platforms now support passkeys natively.

Microsoft Authenticator with number matching. A middle ground. Instead of a simple "Approve/Deny" push, the user must type a two-digit number displayed on the login screen into their authenticator app. This breaks AitM attacks because the user sees the login context (location, application) and must actively match the number. It also eliminates push-bombing fatigue attacks because there is no button to blindly tap. Number matching is free with Entra ID and takes five minutes to enable in the Authentication Methods policy.

What to retire: SMS codes, voice calls, and simple push notifications without number matching or additional context. If your current MFA method can be phished by a $200-a-month SaaS tool, it is not MFA — it is theatre.

Conditional Access: The Policy Layer MFA Needed

MFA verifies who is logging in. Conditional access verifies should they be, from where, and with what. It is the policy engine that turns authentication from a single checkpoint into a continuous enforcement layer.

For Australian SMBs on Microsoft 365 Business Premium (which includes Entra ID P1) or Google Workspace Business Plus, conditional access is included in the licence you already pay for. Most businesses have never configured it.

Here is what conditional access evaluates in real time before granting access:

  • User risk and sign-in risk (Entra ID Protection): Has this user's behaviour deviated from their baseline? Is the sign-in from an anonymous IP, a tor exit node, or a location inconsistent with their typical pattern?
  • Device compliance: Is this device enrolled in Intune or Google endpoint management? Does it have disk encryption enabled? Is the OS patched?
  • Geolocation: Is this sign-in originating from a country your business does not operate in?
  • Application sensitivity: Is the user accessing email, or are they changing a global admin setting?
  • Authentication strength: Did they use a phishing-resistant method, or just a password and SMS?

If any condition fails, access is blocked — or stepped-up authentication is required — automatically, without a human in the loop.

The 6-Policy Starter Pack for SMBs

These policies apply to both Entra ID and Google Workspace (with equivalent configuration paths). Deploy them in report-only mode first for two weeks, review the impact, then enforce.

Policy 1: Block legacy authentication. Protocols like IMAP, POP3, SMTP Auth, and ActiveSync do not support modern MFA. Attackers use these to password-spray accounts without ever triggering an MFA prompt. Block them globally. In Entra ID this is a single toggle under Conditional Access. In Google Workspace it is under Security > Less secure apps.

Policy 2: Require phishing-resistant MFA for all administrators. Every Global Admin, Privileged Role Admin, and Billing Admin must authenticate with a FIDO2 security key or passkey. No exceptions. If an admin account is compromised, the attacker owns the tenant. The ACSC's Essential Eight rates this as a top-three priority control.

Policy 3: Require compliant device for all users. Users accessing corporate data must do so from a device enrolled in your endpoint management platform with encryption enabled and OS patch compliance verified. Unmanaged personal devices get blocked or restricted to web-only access without download capability.

Policy 4: Geofence to Australia. If your business only operates domestically, block sign-ins from outside Australia — or at minimum, block high-risk regions. A small accounting firm in Brisbane does not need sign-ins originating from Moscow, Lagos, or Pyongyang. Add a break-glass admin account excluded from this policy in case of legitimate travel.

Policy 5: Require MFA for all privileged actions. Even after initial sign-in, re-prompt for MFA (with number matching or FIDO2) whenever a user performs a sensitive action: creating a new global admin, modifying conditional access policies, adding an app consent grant, or changing billing details.

Policy 6: Session timeout and sign-in frequency. Set an eight-hour maximum session lifetime with idle timeout at one hour. If a session cookie is stolen, limiting its useful window reduces the blast radius. For admin accounts, reduce maximum session to four hours.

FAQ

We already use the Microsoft Authenticator app. Are we protected against phishing?

Only if you have enabled number matching and disabled simple push approval. The free Authenticator app with push notifications alone is vulnerable to MFA fatigue and push bombing. Number matching takes minutes to enable in the Entra ID portal under Security > Authentication methods > Microsoft Authenticator.

Yubikeys cost $80 each. Do we really need them for a 12-person business?

Your email and file storage contain every client contract, bank detail, and piece of intellectual property the business owns. A single account takeover resulting in invoice fraud or ransomware deployment costs the average Australian SMB $49,000 in recovery, according to the ACSC's 2024 Cyber Threat Report. Twelve Yubikeys cost less than $1,000. The cost-benefit calculation is not close.

We use Google Workspace, not Microsoft. Do these policies still apply?

Yes. Google Workspace has equivalent controls under Security > Access and data control > Context-Aware Access. The same six policies translate directly: block legacy auth, restrict to enrolled devices, geofence by IP or region, and require security keys for admin accounts. Google's Advanced Protection Program is worth enabling for every admin as well.

Do conditional access policies slow down our staff?

Report-only mode will show you with precision. In most SMB deployments, well-configured policies trigger additional MFA prompts once per session or less. The friction is minimal compared to the friction of recovering from a ransomware incident on a Monday morning.

Conclusion

If your business implemented MFA in 2021 and has not touched it since, your identity security is three threat generations behind. Attackers have automated the bypass of the methods you deployed. The fix is not more MFA — it is better MFA, wrapped in conditional access policies that make decisions based on context, risk, and device trust.

Actionable next three steps for this week:

  1. Enable number matching for Microsoft Authenticator (or equivalent in your IdP).
  2. Order FIDO2 security keys for every admin and finance team member.
  3. Deploy the six conditional access policies above in report-only mode and review the logs on Friday.

Every major cyber insurer in Australia now asks about phishing-resistant MFA and conditional access during underwriting. If you cannot answer yes, your premium is higher — or your coverage is denied.

For a free, no-obligation cybersecurity assessment of your business's identity and access controls, visit consult.lil.business. We will review your MFA posture, conditional access configuration, and Essential Eight alignment in under an hour.

References

  1. ACSC Essential Eight Maturity Model
  2. NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management
  3. CISA: Phishing-Resistant Multi-Factor Authentication
  4. Microsoft: Common Conditional Access Policies for Entra ID
  5. Google Workspace: Context-Aware Access Overview

ELI10: There's a Master Key That Unlocks Business Computers

Explained Like You're 10 — by lilMONSTER at lil.business

Imagine your IT person has a special master key that lets them unlock any computer in your office from anywhere in the world. That key is how they fix problems, install software, and keep everything running — even when they're working from home.

Now imagine someone figured out that your master key has a secret flaw. With just a little trick, anyone on the internet can copy your master key — without ever meeting your IT person, without knowing any passwords, without knocking on your door.

That is exactly what CVE-2026-1731 is.

The Flaw, in Plain Language

A popular IT tool called BeyondTrust Remote Support — used by IT teams and IT providers to manage computers remotely — had a bug discovered this month. Security researchers found that if you sent it a cleverly written message, it would run any command you told it to run. No login. No password. No permission needed.

Think of it like a vending machine that's supposed to only accept coins — but someone discovered that if you shake it just right, it gives you everything inside for free. Except instead of snacks, it's handing over your entire computer network.

The flaw got a score of 9.9 out of 10 for severity. That's basically as serious as it gets.

Who Found Out First?

A security research team called Hacktron AI found the flaw and told BeyondTrust about it on January 31, 2026. BeyondTrust quietly released a fix on February 6. But by February 10, someone had figured out the same trick and posted instructions online for everyone to see.

Within 24 hours, attackers were using those instructions to break into unpatched systems. A U.S. government agency called CISA — America's top cybersecurity watchdog — ordered all government offices to fix it within three days.

Does This Affect Your Business?

If your IT team or IT provider uses BeyondTrust Remote Support to manage your computers, you need to ask one question: "Have you applied the BT26-02 patch?"

  • If you use the cloud version: you're already fixed. Nothing to do.
  • If you use the installed-on-a-server version: you need to patch it manually, right now.

Not sure which one you have? Ask your IT person or provider. If they don't know, that's also important information.

What You Can Do Today

  1. Ask your IT team or MSP: "Do we use BeyondTrust? Is it patched against CVE-2026-1731?"
  2. Get a straight answer: They should know immediately. If they're unsure, push for a same-day answer.
  3. Check your logs: If you've been running an unpatched version and someone connected to it in the last week, flag it for investigation.

The Bigger Picture

This isn't the first time BeyondTrust has been in the news. Two years ago, a Chinese hacking group used a different flaw in the same product to break into the U.S. Treasury. This tool is a high-value target precisely because it's designed to have access to everything.

That's not a reason to panic. It's a reason to patch.

lil.business helps Australian small businesses check, patch, and secure their remote access tools — without the confusing jargon. Book a free 30-minute consultation and make sure your IT setup isn't a door left wide open.

TL;DR

  • Explained Like You're 10 — by lilMONSTER at lil.business Imagine your IT person has a special master key that lets t
  • Now imagine someone figured out that your master key has a secret flaw. With just a little trick, *anyone on the interne
  • Action required — see the post for details

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] NIST National Vulnerability Database, "CVE-2026-1731: BeyondTrust Privileged Remote Access Authentication Bypass," NVD, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-1731

[2] CISA, "Known Exploited Vulnerabilities Catalog: BeyondTrust Privileged Remote Access," Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[3] BeyondTrust, "Security Advisory: Critical Authentication Bypass in Privileged Remote Access (CVE-2026-1731)," BeyondTrust Security Advisories, 2026. [Online]. Available: https://www.beyondtrust.com/security-advisories

[4] ASD ACSC, "Patch Management Best Practices for Critical Vulnerabilities in Remote Access Tools," Australian Signals Directorate, Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/patch-management

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation