TL;DR

Credential-based attacks remain the top initial access vector for Australian businesses in 2026, fueled by phishing, malicious browser extensions, and supply chain credential theft. This week, you can deploy phishing-resistant multi-factor authentication, consolidate identity with single sign-on, audit your IAM for dormant accounts, and enforce zero trust identity checks — all for $5-$10 per user per month. Here is exactly how.

The 2026 Verizon DBIR confirms what security teams have been watching accelerate: attacks are living in the browser. Phishing, shadow AI usage, malicious extensions, and credential theft increasingly bypass traditional perimeter controls because they happen inside authenticated sessions. The recent Polyfill login prompt attacks on Toshiba and Muji websites show that even major brands are being weaponized to harvest credentials at scale. Meanwhile, campaigns like IronWorm are targeting developers specifically to steal credentials and propagate across the software supply chain.

Australian businesses face an additional compliance driver. The Australian Signals Directorate's Essential Eight maturity model explicitly mandates multi-factor authentication as a core control, and regulators are increasing scrutiny on identity hygiene. NIST SP 800-63-3 has also shifted its guidance away from password complexity rules toward longer passphrases and phishing-resistant authenticators — a change many organizations have not yet adopted.

The bottom line: if your identity layer is weak, every other security control is negotiable. Here is what to fix, starting this week.

Phishing-Resistant MFA: The Single Highest-Impact Change You Can Make

Not all MFA is equal. SMS-based one-time codes and email verification are vulnerable to SIM swapping, real-time phishing proxies, and adversary-in-the-middle attacks. NIST SP 800-63-3 at Authenticator Assurance Level 2 (AAL2) and above requires cryptographic proof of possession — not just something you know. The ASD Essential Eight MFA control similarly expects phishing-resistant methods for privileged accounts and remote access.

What to deploy this week:

  • FIDO2 hardware keys (YubiKey 5 series): The gold standard. Each key costs approximately $55-$75 AUD per unit and works with Microsoft Entra ID, Google Workspace, Okta, and most major SaaS platforms. Issue them to all admin and privileged accounts first, then roll out to all staff. YubiKeys are immune to phishing because the cryptographic challenge is bound to the actual domain — a fake login page cannot replay the response.
  • Microsoft Authenticator with number matching: If hardware tokens are not in the budget this week, enable number matching in Entra ID. It is free on existing Microsoft 365 licenses and significantly raises the bar over basic push notifications. Navigate to Entra ID > Security > Authentication methods > Microsoft Authenticator and enable number matching and additional context.
  • Passkeys: Google Workspace and Okta now support device-bound passkeys as an authenticator. These are free and phishing-resistant. Enable them as a second factor or a passwordless primary authenticator depending on your risk tolerance.

Quick-win checklist for MFA enforcement:

  1. Audit all Entra ID or Google Workspace users — identify accounts with no MFA registered
  2. Enable "require MFA for all users" in your identity provider within 24 hours
  3. Exclude legacy protocol authentication (IMAP, POP3, SMTP) — these bypass MFA
  4. Configure a 14-day grace period for users to register, then enforce block on non-compliant sign-ins
  5. Issue YubiKeys to all Global Admin and Privileged Role Administrator accounts immediately

Cost estimate: YubiKey 5 NFC at approximately $55 AUD per user (one-time). Microsoft Authenticator and passkeys are included in existing M365 and Google Workspace licenses. Budget $0-$5/user/month for the identity platform component if you are not already licensed.

SSO Deployment: Kill the Password Sprawl

Every separate application login is a credential that can be phished, reused, or forgotten. Single sign-on collapses dozens of authentication endpoints into one identity provider, giving you centralized policy enforcement, logging, and session control.

Tool selection for Australian SMBs:

Tool Best For Cost
Microsoft Entra ID (formerly Azure AD) Organizations already on M365; included with Business Premium $5-$12 AUD/user/month (Business Premium)
Google Workspace SSO Organizations on Google; native SAML/OIDC support Included with Business Standard and above
Okta Best-of-breed identity; wide app catalog; strong Australian presence $5-$10 USD/user/month
Authentik Self-hosted; data sovereignty; open source Free (self-hosted); infrastructure costs only

Deployment steps you can complete this week:

  1. Inventory all business applications. Start with the top 10 by user count. Check each for SAML or OIDC support in your identity provider's app catalog.
  2. Configure federation for your top 5 apps. Entra ID and Okta both have pre-built integrations for Salesforce, Atlassian, Slack, Zoom, Xero, and most Australian business SaaS tools.
  3. Disable local application passwords. Once SSO is active, turn off each app's native password login to prevent bypass. This is critical — SSO that coexists with local passwords gives you no real security benefit.
  4. Enforce conditional access policies. In Entra ID, create a policy that requires compliant devices and MFA for all cloud applications. In Okta, configure a global application sign-on policy with the same constraints.

Cost estimate: Most Australian SMBs on Microsoft 365 Business Premium ($12 AUD/user/month) already have Entra ID P1 included, which provides SSO, conditional access, and MFA. Okta adds $5-$10 USD/user/month for organizations wanting a vendor-neutral identity layer.

IAM Hygiene: Audit, Clean, and Enforce Least Privilege

Dormant accounts, over-privileged service accounts, and orphaned credentials are a silent risk. Attackers routinely target stale accounts because they often have lingering permissions and no active owner to notice suspicious activity. CIS Controls v8 (Control 5: Account Management) explicitly requires organizations to establish and maintain an account lifecycle process, including regular review and deprovisioning.

Run this audit this week:

  • Find dormant accounts: In Entra ID, run Get-MgUser -Filter "signInActivity/lastSignInDateTime le 2026-03-06" -All to find users who have not signed in for 90+ days. Disable accounts that have been inactive for more than 30 days; delete after 90 days of confirmed inactivity.
  • Audit admin role assignments: In Entra ID, navigate to Roles & admins and review all Global Administrator, Privileged Role Administrator, and Exchange Administrator assignments. Target fewer than 5 permanent Global Admins for an organization under 500 users. Move all other admins to Privileged Identity Management (PIM) with just-in-time activation.
  • Service account cleanup: Inventory all service principals and app registrations. Rotate credentials for any that have not been rotated in 90 days. Delete unused registrations.
  • Password policy enforcement: Drop forced password rotation (NIST SP 800-63-3 recommends against periodic rotation). Instead, enforce minimum 15-character passphrases, block the top 100,000 breached passwords using Entra ID's banned password list, and require MFA on every account.

Password manager deployment: Issue 1Password Business ($12 AUD/user/month) or Bitwarden Premium ($1.50 AUD/user/month) to all staff. Configure company-wide vaults, enforce master password complexity, and integrate with your SSO provider for directory sync and provisioning.

Zero Trust Identity: Verify Every Access Request

Zero trust is not a product — it is an architecture principle. For identity, it means never trusting a session based on network location alone. Every access request must be authenticated, authorized, and continuously validated regardless of where the user sits.

Practical zero trust identity controls to enable this week:

  1. Risk-based conditional access: In Entra ID, enable identity protection risk policies. Configure "user risk" policy to require MFA and password change on medium-or-higher risk. Configure "sign-in risk" policy to block high-risk sign-ins outright. These policies consume real-time threat intelligence from Microsoft's signal network.
  2. Device compliance gating: Require that all devices accessing corporate resources are enrolled in Intune (or your MDM) and marked compliant. Non-compliant or unmanaged devices get limited access or are blocked entirely.
  3. Token protection (token binding): Enable token protection in Entra ID to cryptographically bind access tokens to the specific device that requested them. This prevents token theft and replay — directly countering the browser-layer credential theft highlighted in the 2026 DBIR.
  4. Continuous access evaluation (CAE): Enable CAE to revoke sessions in near-real-time when a user account is disabled, a conditional access policy changes, or a high-risk event is detected. Without CAE, a token can remain valid for up to an hour after the account is compromised.

Cost estimate: Entra ID P2 ($13 AUD/user/month) includes identity protection, PIM, and advanced conditional access. Organizations on Business Premium can add P2 licenses selectively for high-value accounts. Okta's equivalent features fall within the $5-$10 USD/user/month tier.

FAQ

Is phishing-resistant MFA really necessary if we already have SMS codes?

Yes. SIM swapping attacks in Australia have increased sharply, and real-time phishing proxies like Evilginx can intercept and relay SMS codes in real time. The ACSC has specifically called out SMS as insufficient for high-risk environments. FIDO2 keys and passkeys are the only MFA methods that are provably resistant to adversary-in-the-middle phishing. If you cannot deploy hardware keys this week, start with number matching in Microsoft Authenticator and plan your FIDO2 rollout within 30 days.

How much should an Australian SMB budget for an identity security overhaul?

For a 50-person organization: Microsoft 365 Business Premium at approximately $12 AUD/user/month ($600/month total) covers Entra ID P1, conditional access, MFA, and Intune. Add 1Password Business at $12 AUD/user/month ($600/month total) for credential management. YubiKeys at $55 AUD each ($2,750 one-time) for hardware MFA. Total ongoing cost is approximately $24 AUD/user/month, with a one-time hardware investment. Organizations wanting to start lean can use included Authenticator and passkeys, bringing the ongoing cost to approximately $12 AUD/user/month with zero additional hardware.

What about the ASD Essential Eight — does this satisfy the MFA control?

The Essential Eight MFA control (within the "Restrict Microsoft Office Macro Settings" and broader application control framework) specifically requires MFA for all remote access, all privileged accounts, and all access to important data repositories. Deploying phishing-resistant MFA via Entra ID with conditional access, enforcing it on all users, and eliminating legacy authentication protocols satisfies MFA Maturity Level 2 and partially satisfies Maturity Level 3. You should also document your MFA enforcement in your Essential Eight assessment to demonstrate compliance during IRAP reviews.

Can we deploy SSO without disrupting operations?

Yes, with phased rollout. Start by enabling SSO in "shadow mode" — configure federation but do not disable local passwords yet. Let users authenticate via SSO while local passwords remain as a fallback. Monitor adoption for two weeks, then disable local passwords for each application in batches. Communicate the change in advance, provide a short login walkthrough, and have IT support available during cutover. Most organizations complete full SSO cutover for their top 10 applications within a single week.

Conclusion

Your identity layer is the front door to every system, every data store, and every business process. The threats are not theoretical — the 2026 Verizon DBIR, the Toshiba and Muji credential harvesting attacks, and the IronWorm supply chain campaign all demonstrate that credential theft is the primary attack vector right now. The good news is that the controls are well-understood, well-documented, and achievable within days for most Australian businesses.

Start with the highest-impact action: enforce phishing-resistant MFA on every account. Then consolidate identity with SSO, audit and clean your IAM, and enable zero trust access policies. These are not multi-year transformation projects. They are configuration changes you can make this week.

Visit consult.lil.business for a free cybersecurity assessment — we will review your current identity posture, map it against the ASD Essential Eight and NIST SP 800-63-3, and give you a prioritized action plan tailored to your environment.

References

  1. NIST Special Publication 800-63-3: Digital Identity Guidelines
  2. ASD Essential Eight Maturity Model — Australian Cyber Security Centre
  3. CIS Controls v8 — Center for Internet Security
  4. 2026 Verizon Data Breach Investigations Report
  5. Microsoft Entra ID Identity Protection Documentation

ELI10: Hackers Are Logging In, Not Breaking In

Explained Like You're 10 — by lilMONSTER at lil.business

Imagine your business office has a special entry card system. Every employee gets a card that unlocks the door. It's secure — or so you think.

Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. They look like a normal person. They walk to the filing cabinet. They copy everything. And they're gone in an hour.

That is how 90% of major cyberattacks work in 2026.

Not Hollywood hacking — just someone with your employee's password, walking right in.

The Speed Problem

A new security report released this week — by a company called Palo Alto Networks, which investigated over 750 major cyberattacks around the world — found something alarming: attackers now move from "got in" to "stole everything" in as little as 72 minutes.

That's four times faster than the year before.

The reason? AI tools. Attackers are using AI to automatically find weaknesses, craft convincing messages, and move through computer systems faster than any human could on their own.

By the time most businesses even realise something is wrong, the attacker is already done.

How Do Attackers Get Your Passwords?

You don't have to do anything obviously wrong. Here's how it happens all the time:

  • Fake login page. An employee gets an email that looks like it's from Microsoft, Google, or their bank. They click the link and type in their password — but the page is fake. Password stolen.
  • Old breach. Your employee uses the same password on five different services. One of those services got hacked years ago. Attackers try that password on your systems. It works.
  • Sneaky software. Someone downloads something dodgy. It quietly records every password they type and sends it to the attacker.

None of this requires the attacker to be a genius. With AI, even someone with no technical skills can run these attacks automatically at massive scale.

The Fix: A Second Lock on the Door

The single most effective thing your business can do right now costs almost nothing: turn on MFA (Multi-Factor Authentication).

MFA is like adding a second lock to your door. Even if someone has your password (the key), they also need your phone (the second lock) to get in. Microsoft found that MFA blocks 99.9% of automated password attacks.

Turn it on for:

  • Business email (Gmail, Outlook)
  • Cloud storage (Google Drive, Dropbox, OneDrive)
  • Banking and finance apps
  • Any remote access tools
  • Social media accounts

Most apps have a "Security" or "Two-Factor Authentication" setting. Enable it everywhere. Use an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) — not just SMS, which is slightly less secure.

The Second Fix: Give People Only What They Need

The report found that once attackers get in, they often roam freely because employees have more access than they actually need.

Ask your IT person: does every staff member only have access to the things they need for their job? Your junior receptionist probably doesn't need admin access to the server. Your salesperson probably doesn't need access to payroll files.

This is called the "principle of least privilege" — and it limits how far an attacker can go even if they do get in.

The Third Fix: Have a Plan

The attackers are fast. You need to be faster — and that means thinking about it before something goes wrong.

Three questions to answer today:

  1. If someone's email account gets hacked, who do we call?
  2. What do we disconnect first to stop the damage spreading?
  3. Do we have backups of our important data, and are they recent?

Written answers to these questions — even on a single piece of paper — are worth more than any expensive software if the moment comes.

The Big Picture

You don't need to build a fortress. You need a few strong, smart habits. MFA + reviewed permissions + a response plan covers the majority of what the world's biggest security firms see failing again and again in real attacks.

lil.business helps Australian small businesses get these basics right — quickly and without the jargon. Book a free 30-minute consult and walk away with a clear list of what to do first.

TL;DR

  • Explained Like You're 10 — by lilMONSTER at lil.business Imagine your business office has a special entry card syste
  • Now imagine a stranger finds a copy of one of your employee's entry cards. They walk right through the front door. The
  • Action required — see the post for details

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] Mandiant, "M-Trends 2026: Identity-Based Attacks and AI-Accelerated Credential Theft," Google Cloud Mandiant, Reston, VA, USA, 2026. [Online]. Available: https://www.mandiant.com/resources/m-trends-2026

[2] CISA, "Identity and Access Management Best Practices Guide: Multi-Factor Authentication and Zero Trust," Cybersecurity and Infrastructure Security Agency, Washington, DC, USA, 2026. [Online]. Available: https://www.cisa.gov/resources-tools/resources/identity-and-access-management-recommended-best-practices

[3] IBM X-Force, "X-Force Threat Intelligence Index 2026: Identity as the New Perimeter — Credential Attacks in the AI Era," IBM Security, Armonk, NY, USA, 2026. [Online]. Available: https://www.ibm.com/reports/threat-intelligence

[4] Verizon, "2026 Data Breach Investigations Report: Stolen Credentials and Identity-Based Intrusion Trends," Verizon Business, Basking Ridge, NJ, USA, 2026. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation