TL;DR
Major identity breaches disclosed by Microsoft and Vercel in April 2026 prove that attackers are not cracking MFA; they are bypassing it entirely by stealing OAuth tokens, abusing device-code flows, and weaponising supply-chain trust. Australian SMBs must move beyond basic MFA and start monitoring sessions, auditing third-party app permissions, and hardening help-desk verification.
The Tactic Shift: From Cracking Passwords to Stealing Sessions
Multi-factor authentication has long been treated as the finish line for identity security. But the breaches of 2025 and 2026 show a clear shift: attackers no longer waste effort brute-forcing passwords when they can simply hijack the session that MFA already approved. Two high-profile incidents from April 2026 demonstrate how trust chains—not passwords—are the new target.
Case Study 1: Microsoft EvilTokens and AI-Enabled Device Code Phishing
In April 2026, Microsoft’s security research team disclosed a widespread phishing campaign that weaponised the legitimate OAuth device-code authentication flow. Traditionally, device codes expire after fifteen minutes. The attackers bypassed this limitation by using automated infrastructure on platforms like Railway.com to generate dynamic device codes at the exact moment a victim clicked a phishing link.
Generative AI produced hyper-personalised lures—invoices, RFPs, and manufacturing workflows—tailored to each victim’s role. When the user entered the code on a legitimate Microsoft login page, they unknowingly authorised the attacker’s session. Because the authentication was decoupled from the victim’s original device, MFA was satisfied without binding to the user’s real context. Post-compromise, attackers abused Microsoft Graph API to map organisational permissions and created malicious inbox rules for persistence.
This campaign marks an evolution of the phishing-kit tradecraft pioneered by EvilProxy and Tycoon, automated end-to-end and scaled with AI.
Case Study 2: The Vercel OAuth Supply Chain Cascade
On 19 April 2026, Vercel confirmed that attackers had breached its internal systems via a compromised third-party AI service, Context.ai. A Lumma Stealer malware infection at Context.ai exfiltrated Google Workspace OAuth tokens for a Vercel employee. OAuth tokens do not require a password and often survive password rotations.
Using the stolen token, the attacker accessed the employee’s Google Workspace account, pivoted into Vercel’s internal environment, and read environment variables that were not explicitly classified as "sensitive." While encrypted secrets remained protected, the incident exposed enough metadata to enable lateral movement. Vercel CEO Guillermo Rauch publicly assessed the attacker’s velocity as "very likely significantly accelerated by AI."
This is the same trust-chain collapse seen in earlier incidents like the Storm-0558 Microsoft key compromise and the Okta customer support breaches: when a trusted intermediary is compromised, MFA cannot defend against an attacker riding legitimate, pre-approved tokens.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The Common Thread: MFA Bypass via Trust Abuse
Whether through Scattered Spider-style help-desk social engineering, stolen OAuth tokens, or automated device-code abuse, the pattern is identical. Attackers are not defeating MFA; they are defeating the trust assumptions around it. MFA validates identity at the point of login. It does not protect against stolen sessions, over-permissive OAuth grants, or a help-desk operator tricked into resetting an executive’s credentials.
Three SMB-Scale Defences
You do not need an enterprise SOC to close these gaps. Implement these controls this week:
1. Help-Desk Verification Protocols Eliminate single-channel password or MFA resets. Every identity-related request must be verified out-of-band—via a pre-registered manager mobile number, video call, or in-person confirmation. Treat "I lost my MFA" phone calls with extreme scepticism; pre-texting is the primary tactic of groups like Scattered Spider.
2. Number Matching and Phishing-Resistant MFA Replace simple push-notification approvals with number matching, or better yet, FIDO2 passkeys. Number matching forces the user to enter a code from the login screen into their authenticator app, preventing blind approvals of attacker-initiated flows. Passkeys bind credentials to the origin, rendering token theft and replay attacks useless.
3. Session Token Protection and Admin Activity Alerting Audit OAuth grants quarterly. Revoke any third-party app with broad, unused permissions to email, files, or admin consoles. Set conditional access policies to terminate sessions from impossible locations or non-compliant devices. Alert on Graph API reconnaissance, mass inbox-rule creation, and non-standard IP ranges accessing admin portals. Tokens should be short-lived; if your provider does not support automatic expiration, enforce manual rotation every ninety days.
FAQ
If we have MFA, how did these attacks still succeed? The attackers bypassed MFA rather than breaking it. By stealing OAuth tokens, tricking users into device-code flows, or socially engineering help desks, they obtained sessions that had already passed authentication. The login was legitimate; the session simply belonged to the attacker.
Are Australian SMBs actually targets for this level of sophistication? Yes. Phishing-as-a-Service kits like EvilTokens and EvilProxy have commoditised these tactics. Criminals purchase subscriptions and target businesses indiscriminately. SMBs are preferred because they often hold valuable financial and customer data without dedicated security teams to monitor abuse.
What is number matching, and do we need it? Number matching is an MFA method where your login screen displays a two-digit number you must enter into your authenticator app to approve the sign-in. It prevents "MFA fatigue" attacks where users reflexively tap "Approve." If you use Microsoft Authenticator or similar enterprise tools, enable it immediately.
How do we audit our OAuth apps and third-party integrations? Export a list of all apps connected to Google Workspace, Microsoft 365, or your identity provider. Review their access scopes: does a calendar plugin need access to all emails? If an app has not been used in ninety days, revoke it. Treat every dormant OAuth grant as an exposed credential.
Conclusion
The identity perimeter is no longer at the password field. It is inside the OAuth grant, inside the session token, and inside the help-desk call log. The breaches of April 2026 demonstrate that MFA alone is insufficient when AI-enhanced attackers abuse trust chains. Australian SMBs must adopt phishing-resistant authentication, aggressive session monitoring, and zero-trust OAuth hygiene before their names appear in the next headline.
Book a free cybersecurity assessment today: Visit consult.lil.business for a free cybersecurity assessment.
References
- Microsoft Security Blog. "Inside an AI-enabled device code phishing campaign." (2026). https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
- Trend Micro Research. "The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables." (2026). https://www.trendmicro.com/en_us/research/26/d/vercel-breach-oauth-supply-chain.html
- Australian Cyber Security Centre (ACSC). "Multi-factor authentication." https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/mfa
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →