MFA is Dead Weight — How Identity-Layer Breaches Bypassed Every Defence in 2025–2026

---

Identity is the new perimeter — and the perimeter is leaking. For years, Australian SMBs were sold MFA as the silver bullet. "Just turn it on," vendors said. "Blocks 99.9% of account compromises." The 2025–2026 breach record tells a different story. Targeted attackers treated MFA as a speed bump, not a wall. They bypassed it via social engineering, token theft, and outright trust-chain compromise — and in most cases, the victim's identity provider logs showed nothing wrong. The authentication looked legitimate. Because it was.

Here are three incidents that rewrote the playbook, followed by three defences you can deploy this week.​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Storm-0558: The Microsoft Signing Key That Wasn't Yours

In mid-2025, the fallout from Storm-0558 continued to unfold. The attack, originally detected in 2023, involved a threat actor compromising a Microsoft account signing key — a cryptographic secret used to forge Azure AD access tokens. With that key, the attacker didn't need MFA codes, passwords, or push approvals. They minted their own tokens. Outlook Web Access and Exchange Online were wide open.

The trust-chain failure was structural. Organisations federating identity to Microsoft via SSO implicitly trusted tokens signed by Microsoft's consumer signing system. The attacker acquired one key, and suddenly every token they issued was indistinguishable from a legitimate authenticated session. Azu

re AD logs showed valid sign-ins.

For SMBs: If your M365 tenant logs show a successful SSO sign-in from an unrecognised location or device, treat it as hostile regardless of what Entra ID says about MFA satisfaction.

Scattered Spider: The Help Desk Was the Front Door

The MGM Resorts and Caesars Entertainment breaches, attributed to the Scattered Spider / UNC3944 group, demonstrated something SMB owners intuitively understand: your help desk is the weakest identity gate. Attackers obtained employee names and phone numbers from LinkedIn, called internal IT help desks, and — armed with nothing more than an employee ID and a plausible story — convinced support staff to reset MFA registrations, enrol new authenticators, or disable MFA entirely.

No zero-day. No malware. Just a phone call. Total time from first ring to domain compromise: under an hour in MGM's case. The group's hallmark technique — SIM swapping followed by help-desk social engineering — remains the highest-success-rate identity attack vector in 2026. If someone can impersonate an employee to your IT support, your MFA is irrelevant.

EvilProxy and the Device Code Renaissance: Tokens, Not Passwords

By late 2025, the phishing economy had completed its pivot. Traditional credential-harvesting pages were out. Adversary-in-the-middle (AitM) proxies — EvilProxy, Tycoon, and Evilginx derivatives — were in. These tools sit between the victim and the real identity provider, proxying the entire authentication flow in real time. The victim sees the legitimate Microsoft or Google login page, completes their MFA push, and gets a normal-looking session. The attacker receives the authenticated session cookie — already post-MFA — and replays it.

Microsoft's April 2026 advisory on the EvilTokens phishing-as-a-service campaign added a new twist: device code phishing. Attackers initiate a legitimate OAuth device code flow (designed for smart TVs and printers), email the victim a short code with a "verify your account" pretext, and capture the authenticated token when the victim enters it. The flow decouples authentication from the originating session entirely — MFA is satisfied on the victim's device, but the token lands with the attacker. No credentials are exposed. No suspicious sign-in location. Just a valid token.

In one documented campaign, AI-generated lures tailored to the victim's role — RFPs, invoices, manufacturing workflows — drove click rates well above traditional phishing baselines. The backend infrastructure used Vercel, Cloudflare Workers, and AWS Lambda to rotate redirect domains at scale, blending phishing traffic into legitimate enterprise cloud patterns.

Three Defences That Survive 2026's Playbook

1. Help-Desk Verification Protocol (mandatory, not optional)

No MFA reset, no authenticator enrolment, no account recovery proceeds without out-of-band verification. That means: call the employee back on a number already on file — not one provided during the support call. Use a codeword established during onboarding. Require supervisor approval for any MFA modification. Document every MFA change request and audit the log weekly.

The ACSC Essential Eight explicitly calls for multi-factor authentication and privileged access management. Add a help-desk verification gate or none of the rest matters.

2. Number Matching and Phishing-Resistant MFA

Push notification bombing works because users reflexively tap "approve." Number matching — where the user must enter a two-digit code displayed on the sign-in screen into their authenticator app — eliminates reflexive approval. Microsoft Authenticator, Duo, and Okta all support it. Turn it on.

Where budgets permit, deploy FIDO2 hardware keys or passkeys. They're cryptographically bound to the relying party domain — a token captured on a phishing page can't be replayed against the legitimate service. FIDO2 isn't free from downgrade attacks (if fallback to SMS or push is permitted, attackers will force it), but it raises the cost of compromise dramatically.

3. Session Token Hardening and Admin Activity Alerting

Most post-MFA attacks succeed because session tokens are valid and long-lived. Reduce token lifetimes aggressively — Microsoft Entra ID Conditional Access supports sign-in frequency controls and token binding to compliant devices. Configure continuous access evaluation (CAE) so that revoked accounts can't retain active sessions.

Separately: alert on any global admin account activity. Admin role assignment changes, new application registrations, and mailbox rule creation are all post-compromise indicators. If you don't have a SIEM, start with Microsoft Sentinel's free-tier ingestion or enable mailbox audit logging and forward the logs somewhere you'll actually look at them.

FAQ

Conclusion

MFA is not dead — but it's been demoted from silver bullet to speed bump. The 2025–2026 breach cycle proves that identity-layer controls must be layered: strong MFA (phishing-resistant, not just present), ironclad help-desk verification, aggressive session token management, and admin activity alerting that someone actually reads.

Australian SMBs can't afford a dedicated identity security team. You can afford three policy changes this week: enable number matching, document a help-desk verification protocol, and reduce admin session lifetimes.

Your identity provider logs will show legitimate authentications because — in every breach scenario above — the authentication was legitimate. The trust was misplaced.

Visit consult.lil.business for a free cybersecurity assessment tailored to your SMB's identity stack.

References

1. ACSC Essential Eight Maturity Model
2. Microsoft Security Blog — AI-Enabled Device Code Phishing Campaign, April 2026
3. NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management
4. CISA Advisory AA23-158A — Scattered Spider Ransomware and Extortion
5. Obsidian Security — Token-Based Attacks: How Attackers Bypass MFA