TL;DR
Attackers are no longer trying to break your MFA — they are sidestepping it entirely. In 2025 and 2026, campaigns abusing OAuth tokens, device code flows, and adversary-in-the-middle phishing kits have compromised organisations of every size. If your security stops at "we have MFA enabled," you are defending the wrong layer. Here is what happened, how it works, and what Australian SMBs can do right now.
The Attacks That Changed the Rules
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Three incidents from the past 18 months demonstrate how identity-layer attacks have evolved well beyond password guessing.
Storm-2372 / EvilTokens device code phishing (2025-2026). Microsoft's Defender Research team documented a campaign that weaponised the OAuth device code flow — the same mechanism your smart TV uses to sign into streaming services. Attackers spun up thousands of short-lived backend nodes on platforms like Railway.com to generate device codes dynamically, the moment a victim clicked a phishing link. This defeated the standard 15-minute code expiry window. AI-generated phishing emails, tailored to roles such as finance managers and executives, carried lures styled as invoices, RFPs, and voicemail noti
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →Salesloft / Drift OAuth token theft (2025). Attackers did not phish a single user. Instead, they compromised OAuth tokens linking the Salesloft platform to Salesforce via a Drift chatbot integration. Because OAuth tokens sit between applications — not between users and applications — no login screen was involved, and no MFA challenge was triggered. The stolen tokens quietly unlocked hundreds of Salesforce tenants. Google's Threat Intelligence Group later confirmed the attackers also used the same tokens to access Google Workspace email through connected integrations. This was lateral movement through trust chains most organisations do not even know exist.
AiTM phishing via EvilGinx and Tycoon 2FA kits (ongoing). Phishing-as-a-service toolkits such as EvilGinx3, EvilProxy, and Tycoon 2FA let low-skill operators run adversary-in-the-middle attacks at scale. A victim clicks a link, sees what looks like the real Microsoft 365 login, enters credentials, completes an MFA prompt — and the proxy captures the resulting session cookie. The attacker pastes that cookie into their own browser and is in. MFA technically succeeded; the attacker simply stole the result. Cisco Talos reported that half of their 2025 incident responses involved some form of MFA bypass.
How the Bypasses Work
The common thread across all three attacks is session-level compromise after authentication. Here is the trust-chain failure in plain terms:
- Device code abuse — The attacker initiates a legitimate OAuth flow and hands the victim a code to approve. The victim authenticates with MFA. The resulting token belongs to the attacker's session, not the victim's device.
- OAuth token theft — An integration token between two SaaS apps is compromised. These tokens often never expire and are not subject to MFA because they represent app-to-app trust, not user-to-app trust.
- AiTM session hijacking — A reverse proxy relays the login in real time, captures the session cookie, and the attacker replays it. No credential reuse, no brute force, no MFA defeat — just theft of the authenticated session.
In every case, the login logs show success. The MFA logs show success. The IP address looks normal. There is no password reset, no failed attempt, no alert. That is what makes these attacks so dangerous for SMBs with limited detection capability.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Three Defences Australian SMBs Can Deploy Now
1. Tighten help-desk and admin verification protocols. Scattered Spider's attacks on MGM and Caesars proved that a convincing phone call to the IT help desk can reset MFA for an attacker. Require a callback to the employee's registered number, a manager approval, or a secondary verification channel before resetting credentials or disabling MFA. Document the procedure and audit it quarterly.
2. Enable number matching and context-aware MFA. In Microsoft Entra ID, turn on number matching for Authenticator push notifications. This forces the user to type the number shown on screen into their phone, preventing blind-push approval. Pair this with conditional access policies that require compliant devices and flag impossible-travel or unusual-location sign-ins. If your MFA provider supports it, bind session tokens to the originating device so a stolen cookie cannot be replayed on a different machine.
3. Audit OAuth integrations and monitor admin activity. Inventory every third-party application connected to your Microsoft 365, Google Workspace, Salesforce, or CRM tenant. Remove unused integrations. Restrict user consent so only administrators can approve new OAuth applications. Set up alerts for new inbox rules (a common persistence tactic), changes to forwarding addresses, and OAuth app consent grants. Review these alerts weekly — not quarterly.
FAQ
Is MFA still worth enabling? Yes. MFA blocks the majority of automated credential-stuffing and password-spray attacks. The problem is not that MFA is broken — it is that MFA alone stops too early. Pair it with post-authentication controls like session monitoring and conditional access.
We are a 20-person business. Are we really a target? Absolutely. AiTM phishing kits are sold as services for under $100 a month. Attackers cast wide nets. Australian SMBs using Microsoft 365 or Google Workspace are prime targets because the platforms are ubiquitous and the attack paths are well-documented.
What should I ask my IT provider right now? Ask three questions: How do we detect session hijacking today? Can we revoke OAuth tokens immediately if an integration is compromised? Do we monitor authenticated behaviour — not just logins? If the answers are vague, you have a gap.
Conclusion
The identity layer is the new perimeter, and attackers have figured out how to walk right through it while your MFA holds the door open. Device code phishing, OAuth token abuse, and AiTM session theft are not theoretical — they are operational right now, targeting organisations of every size across Australia.
The good news is that practical defences exist and can be deployed in days, not months. Start with number matching, audit your OAuth integrations, and demand post-login monitoring from your IT team or provider.
Visit consult.lil.business for a free cybersecurity assessment — we will check your identity controls, integration exposure, and MFA configuration against the threats that matter in 2026.
References
- Microsoft Security Blog, "Inside an AI-enabled device code phishing campaign," April 2026. https://www.microsoft.com/en-us/security/blog/2026/04/06/ai-enabled-device-code-phishing-campaign-april-2026/
- Grip Security, "Inside the Salesloft Breach: A New Era of Salesforce Attacks," August 2025. https://www.grip.security/blog/salesloft-breach-oauth-salesforce-attacks
- Australian Cyber Security Centre, "Joint advisory on MFA bypass techniques," 2025. https://www.cyber.gov.au/threats
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.