TL;DR

AI-powered phishing campaigns are bypassing MFA at scale, identity-based attacks now account for 65% of initial breaches, and Australian SMBs are squarely in the crosshairs. This week saw major alerts from Microsoft, the Canadian Cyber Centre, and CISA — all pointing to the same conclusion: if your business relies on passwords and basic MFA, you are exposed.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

1. AI-Driven Device Code Phishing Campaign Bypasses MFA

Microsoft's Security Research team revealed a widespread phishing campaign using the EvilTokens phishing-as-a-service (PhaaS) toolkit to exploit the OAuth device code authentication flow at scale. Unlike traditional phishing, this campaign used generative AI to craft hyper-personalised lures — fake RFPs, invoices, and manufacturing workflows tailored to each victim's role.

The backend infrastructure ran on Railway.com, spinning up thousands of short-lived polling nodes that generated device codes the moment a victim clicked a phishing link — bypassing the standard 15-minute expiry window. Redirect chains leveraged legitimate cloud platforms including

Free Resource

Get the Free Cybersecurity Checklist

A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.

g>Vercel, Cloudflare Workers, and AWS Lambda to evade detection. After stealing authentication tokens, attackers created malicious inbox rules for persistence and used Microsoft Graph for organisational reconnaissance.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

What this means for SMBs: Your staff will click convincing links. This campaign proves that even properly configured MFA can be bypassed when attackers proxy the real authentication flow. If you use Microsoft 365, review your connected applications and enforce conditional access policies immediately.

2. Social Engineering Compromises Enterprise SaaS Without Malware

The Canadian Centre for Cyber Security (CCCS) issued alert AL26-010 on 1 May 2026, warning that financially motivated threat actors are using voice phishing (vishing), brand impersonation, and help-desk manipulation to compromise SaaS environments — without deploying any malware at all.

Key techniques include vishing calls impersonating IT staff to trick employees into authenticating to attacker-controlled portals, adversary-in-the-middle frameworks capturing sessions in real time, and subdomain impersonation (e.g. yourorg-sso[.]com) that bypasses basic domain reputation controls. Attackers are also abusing help-desk MFA reset processes and stealing OAuth refresh tokens through SaaS-to-SaaS supply chain compromises — so-called "golden token" theft.

What this means for SMBs: Attackers no longer need to hack your systems. They call your staff and ask for access. Train your team to verify identity-related requests through an out-of-band channel. Never approve an MFA reset based solely on a phone call.

3. Identity Attacks Now Dominate — and Service Accounts Are a Time Bomb

Red team data from 2026 confirms that 65% of initial access in confirmed breaches traces back to compromised identities. In penetration testing engagements, analysts found service accounts with static credentials unchanged for years. In one case, a decommissioned service account retained Domain Admin privileges with a password unchanged since 2018 — compromised within 23 minutes.

MFA fatigue attacks are succeeding at alarming rates. In 40% of tested scenarios, at least one user approved a fraudulent MFA push within three attempts. The number climbs significantly when paired with a social engineering call. Meanwhile, SMS-based MFA remains dangerously common despite NIST deprecating it years ago — SIM swapping continues to defeat it entirely.

What this means for SMBs: Audit every service account today. Disable the ones no longer in use. If you are still using SMS for MFA, migrate to an authenticator app or, better yet, FIDO2 hardware keys. Ensure there is no fallback path from strong MFA to weak MFA.

4. Critical CVEs and Credential Theft Surge Target SMB Infrastructure

CISA issued an emergency directive for Cisco ASA 5500-X firewalls after a sophisticated intrusion campaign targeted these appliances. Separately, Ivanti EPMM flaws (CVE-2025-4427 and CVE-2025-4428) — an authentication bypass and a remote code execution vulnerability — are being actively exploited in the wild.

Credential theft has surged 160% in 2025 according to Check Point, and Guardz SMB telemetry shows over 80% of breaches stem from compromised passwords or token theft. Ransomware variants detected in SMB environments have nearly doubled. For smaller organisations running firewall appliances or mobile device management without dedicated security staff, these are not abstract risks.

What this means for SMBs: Check whether you run Cisco ASA or Ivanti EPMM products. If yes, patch immediately — these are on CISA's Known Exploited Vulnerabilities list. Prioritise patching actively exploited flaws over general updates. Segment your network so a compromised firewall does not expose everything.

5. Spoofed Apps and Supply Chain Failures — The Vendor Problem

Attackers are mimicking trusted tools — ChatGPT, Microsoft Office, Google Drive — to trick users into installing malware. This is particularly effective against SMBs with less rigorous software controls and no application whitelisting.

The Collins Aerospace MUSE check-in system was hit by a cyberattack that disrupted boarding at Heathrow, Brussels, Berlin, and other airports. The airline was not the target — the vendor was. This is a textbook supply-chain knock-on effect: a third party's weakness became everyone's problem.

What this means for SMBs: Inventory your critical third-party vendors. Ask for evidence of their security practices. If a vendor's system goes down, do you have an offline fallback? Also remind staff: if a download link arrives by email, verify it through the vendor's official website before clicking.

FAQ

Q: Is MFA still worth implementing if attackers can bypass it? Yes. MFA stops the vast majority of automated and opportunistic attacks. The campaigns described above are targeted and sophisticated. Implement phishing-resistant MFA (FIDO2 keys or passkeys) where possible, and ensure there is no fallback to SMS or push notifications.

Q: What is a device code phishing attack? It exploits a legitimate OAuth flow designed for devices like smart TVs. The attacker starts the flow, sends you a code via a phishing email, and when you enter that code at the real login page, you unknowingly authorise the attacker's session. Your MFA works correctly — but for the wrong session.

Q: How do we protect against vishing attacks? Establish an out-of-band verification process. If someone calls claiming to be from IT and asks you to authenticate or reset MFA, hang up and call the IT team back on a known number. No legitimate IT support will ask for your password or MFA code over the phone.

Q: What should Australian SMBs prioritise first? Three things: audit and disable unused service accounts, enforce phishing-resistant MFA on all accounts with access to sensitive data, and implement conditional access policies that restrict logins based on location and device posture. These three steps address the majority of current attack vectors.

Conclusion

This week's threats share a common theme: attackers are targeting identity, not infrastructure. They are bypassing MFA through clever abuse of legitimate authentication flows, manipulating your staff over the phone, and riding in through vendors you trust. The good news is that focused, practical steps — strong MFA, service account hygiene, conditional access, and staff awareness — address most of these vectors without enterprise-level budgets.

Visit consult.lil.business for a free cybersecurity assessment.

References

  1. Inside an AI-enabled device code phishing campaign — Microsoft Security Blog
  2. AL26-010: Social-Engineering-Enabled Compromise of Enterprise SaaS Environments — Canadian Centre for Cyber Security
  3. Identity-Based Attacks in 2026: MFA Bypass, Token Theft, and the Death of Passwords — CyberSec Pen Testing
  4. Weekly Cybersecurity Roundup: Threats SMBs — LinkedIn