Your MFA Isn't Enough Anymore — The 3-Layer Defence Stack That Actually Stops Modern Attackers

---

Why "We Have MFA" Is No Longer Enough

If you've been thinking "we've got multi-factor authentication turned on, we're sorted" — you're not alone. Most business owners were told exactly that by their IT provider five years ago. And five years ago, it was largely true.​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The threat has evolved. According to the CyberCX 2026 Threat Report, which analysed more than 100 serious cyber incidents handled by their Digital Forensics and In

cident Response team, cyber extortion is now the most common incident type — and attackers are using a technique called adversary-in-the-middle (AiTM) session hijacking to make MFA almost irrelevant [1].

Here is how it works. When you log in to a service and pass your MFA challenge, your browser receives a session token — a small file that tells the website "this person authenticated successfully." AiTM phishing kits sit between you and the real website in real time, capturing that session token the moment you log in. From that point, the attacker has a valid, authenticated session. Your MFA code was real, your password was real, but the attacker never needed either of them after login [3].​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The CyberCX report links the rise of AiTM attacks to the broader availability of low-cost phishing-as-a-service kits, which have reduced the technical skill needed to run large-scale campaigns. This is not a nation-state threat reserved for governments — it is a commodity attack available to any financially motivated criminal for a monthly subscription [1][7].

Related: How AI-Powered Phishing Has Changed the Game for SMBs

---

The Numbers That Should Change How You Invest in Security

The 2026 CyberCX data tells a clear story about what is actually happening in Australian and New Zealand businesses right now [1]:

Detection time has more than doubled. The median time for a financially motivated attacker to be detected inside an environment was 68 days in 2025 — up from 24 days in 2024. Attackers are taking longer to move, behaving like legitimate users to avoid triggering alerts [1].

Financial services is now #1. Financial and insurance services accounted for approximately one in five incidents CyberCX responded to — overtaking healthcare for the first time. The pattern follows the data: wherever high-value financial or personal information is processed, criminals follow [1].

Nearly 60% of attacks are financially motivated. Almost six in ten incidents were attributed to criminals seeking payment — not espionage, not hacktivism, not disruption for its own sake. Your business is a revenue target [1].

Stolen credentials remain the master key. Across cyber extortion incidents, valid accounts obtained through information stealers and social engineering were the most common initial access technique. This directly echoes Verizon's 2025 Data Breach Investigations Report, which found that credential compromise is the entry vector in the majority of breaches [5].

According to IBM's 2025 Cost of a Data Breach Report, the average breach now costs organisations USD $4.88 million globally — and small-to-medium businesses disproportionately bear the long-term cost because they lack the recovery resources of enterprise [6].

---

What Attackers Do With 68 Days Inside Your Network

Sixty-eight days is not a data-dumping sprint. That dwell time tells you something important: modern attackers are patient, and they are not just after your data on day one.

The CyberCX 2026 report describes a shift in how ransomware groups apply pressure during double extortion attacks — where data theft accompanies encryption. In more than a third of double extortion attacks, threat actors did not immediately advertise stolen data on their leak site (up from less than 10% the previous year) [1]. This is a deliberate psychological tactic: the threat of exposure is kept live as ongoing leverage.

During those 68 days, a financially motivated attacker may be:

• Mapping your network — identifying which systems are most valuable to encrypt or exfiltrate
• Harvesting credentials — collecting usernames and passwords from memory, browser stores, and credential managers
• Establishing persistence — creating hidden admin accounts, scheduled tasks, or backdoors to maintain access even if discovered
• Identifying your backup systems — because encrypting your primary systems while leaving a clean backup reduces their leverage

The Microsoft Digital Defense Report 2025 notes that attackers increasingly use legitimate IT tools and "living off the land" techniques — using your own software against you, which makes detection through traditional antivirus almost impossible [8].

Related: 67% of Breaches Start With a Stolen Login

---

The 3-Layer Defence Stack That Closes These Gaps

This is not about buying more tools. It is about building three overlapping layers that each independently stop a different phase of the attack chain described above. The CyberCX 2026 report, the NIST Digital Identity Guidelines (SP 800-63B), and CISA's phishing-resistant MFA guidance all point to the same framework [1][4][9].

Layer 1 — Credential Hygiene

The first and most important layer. If attackers cannot get valid credentials, AiTM has nothing to capture.

What this means for your business:

• Deploy a password manager and enforce unique passwords across every service — credentials reused from other breaches are a critical exposure
• Enable breach monitoring so you are alerted when your employees' email addresses appear in dark web credential dumps (tools like Have I Been Pwned Enterprise, or your Microsoft 365 subscription includes this in some plans)
• According to the ASD Annual Cyber Threat Report 2023-24, credential stuffing — using credentials stolen from one breach to access other services — is responsible for a significant proportion of initial access events affecting Australian organisations [2]

Layer 2 — Phishing-Resistant Authentication

Standard MFA (SMS, authenticator app codes) is vulnerable to AiTM. Phishing-resistant MFA is not — because it cryptographically binds the authentication to a specific origin domain, making intercepted tokens useless to an attacker on a different domain.

What this means for your business:

• Move your highest-value accounts (finance, admin, IT) to FIDO2/passkeys or hardware security keys (YubiKey-style devices). These cannot be phished or replayed because the credential is tied to the specific website domain [4]
• For accounts that cannot yet use passkeys, use Microsoft Authenticator with number matching or Google Prompt with device approval — these are harder to bypass than simple TOTP codes
• CISA's Phishing-Resistant MFA guidance (2023) recommends FIDO2 as the gold standard for all privileged access [4]

Layer 3 — Session and Behaviour Monitoring

Even if an attacker bypasses layers one and two via AiTM, session monitoring catches the anomaly: a valid session being used from an unexpected location, device, or time.

What this means for your business:

• Enable conditional access policies in Microsoft 365 or Google Workspace — these can block sessions from unrecognised devices or locations, even when the authentication token is valid
• Implement User and Entity Behaviour Analytics (UEBA) if your budget allows — tools like Microsoft Sentinel (included in some M365 E5 plans) flag when account behaviour suddenly changes
• Review your sign-in logs monthly — suspicious IP addresses, unusual login times, or logins from countries you don't operate in are early warning signs
• The ReliaQuest 2026 Annual Cyber Threat Report recommends reducing session token lifetimes for sensitive applications, which limits how long a stolen token remains useful to an attacker [10]

---

The Business Case: What Getting This Right Actually Saves You

Let's translate this to money, because that is the real conversation.

The average ransomware recovery for an SMB in 2025 ran between AUD $250,000 and $1.2 million when total costs are accounted for — ransom payment (if made), forensics, legal fees, regulatory notifications, and lost productivity [1][6]. That is before reputational damage or customer churn.

The 3-Layer Defence Stack above can be implemented in a staged approach. Layer 1 (credential hygiene) is achievable for most businesses within 30 days at low or zero incremental cost if you already have a Microsoft 365 subscription. Layer 2 (phishing-resistant MFA) requires hardware keys for admin accounts — budget approximately $30–80 per key, amortised over 3–5 years. Layer 3 (session monitoring) can be activated within existing Microsoft or Google enterprise plans.

Security is not an insurance grudge-purchase. When your systems stay online, your team stays productive, your clients stay trusting, and your business keeps running. That is what this investment protects.

---

FAQ

References

[1] CyberCX, "CyberCX 2026 Threat Report," CyberCX, Mar. 2026. [Online]. Available: https://cybercx.com.au/resources/

[2] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024

[3] The Hacker News, "Starkiller Phishing Suite Uses AiTM Reverse Proxy to Bypass MFA," The Hacker News, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/starkiller-phishing-suite-uses-aitm.html

[4] CISA, "Implementing Phishing-Resistant MFA," Cybersecurity and Infrastructure Security Agency, 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/phishing-resistant-mfa

[5] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/[data-breach](https://lil.business/blog/ransomware-backup-dual-extortion-smb-recovery-stack-2026/)

[7] SecurityBrief Australia, "Cyber extortion tops 2025 attacks as AI risks escalate," SecurityBrief AU, Mar. 3, 2026. [Online]. Available: https://securitybrief.com.au/story/cyber-extortion-tops-2025-attacks-as-ai-risks-escalate

[8] Microsoft, "Microsoft Digital Defense Report 2025," Microsoft Security, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025

[9] NIST, "SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management," National Institute of Standards and Technology, 2024. [Online]. Available: https://pages.nist.gov/800-63-4/sp800-63b.html

[10] ReliaQuest, "2026 Annual Cyber Threat Report," ReliaQuest, 2026. [Online]. Available: https://reliaquest.com/campaigns/annual-threat-report-2026/

---

Is your MFA configuration actually phishing-resistant? Most businesses don't know until they're tested. Book a free security posture review with lilMONSTER — we'll map your current authentication gaps and give you a prioritised fix list, no obligation.