TL;DR
MFA alone no longer stops determined attackers. Throughout 2025 and early 2026, threat groups including ShinyHunters, Scattered Spider, and state-linked actors have bypassed multi-factor authentication using vishing, adversary-in-the-middle phishing, and OAuth token theft — targeting SaaS platforms, identity providers, and cloud consoles. Australian SMBs relying on push-based MFA without additional identity-layer controls are the softest target. Three practical defences — help-desk verification protocols, phishing-resistant MFA with number matching, and session token monitoring — close the gaps attackers are exploiting right now.
The Identity Breach Era: Why 2025-2026 Changed Everything
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
For years, the cybersecurity industry told small businesses one thing: turn on MFA and you're safe. That advice is now dangerously incomplete. From the casino floors of Las Vegas to the Microsoft 365 tenants of mid-market Australian firms, attackers have demonstrated — repeatedly — that MFA is a speed bump, not a wall.
Between 2023 and early 2026, a series of high-impact identity-layer breaches rewrote the threat landscape. The common thread: attackers didn't break encryption or crack passwords. They manipulated trust chains — the human and technical assumptions that sit between authentication steps. For Australian SMBs running Microsoft 365, Google Workspace, or SaaS-heavy stacks,
Free Resource
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →Three Breaches That Redefined the Identity Threat
1. Scattered Spider and the Help-Desk Kill Chain (2023, Still Active)
In September 2023, the ALPHV/BlackCat ransomware gang — working with a loosely organised social-engineering collective known as Scattered Spider — breached MGM Resorts and Caesars Entertainment. The attack didn't start with malware. It started with a phone call.
Attackers researched employees on LinkedIn, called the internal IT help desk, impersonated those employees, and convinced support staff to reset MFA tokens and enrol new devices. Once inside the Okta environment, they moved laterally into financial systems and guest services. MGM estimated losses of over $100 million. Caesars reportedly paid a $15 million ransom.
How MFA failed: The help desk was the MFA bypass. No credential was stolen — just trust was exploited. This technique, known as vishing (voice phishing), remains the most reliable way into an otherwise well-defended identity environment.
Mandiant's January 2026 disclosure of new ShinyHunters activity (tracked as UNC6661 and UNC6671) confirmed this pattern is accelerating. Attackers posed as IT staff, directed employees to credential-harvesting sites styled to match the victim's own company, and captured both SSO credentials and one-time MFA codes in real time. Once armed with valid sessions, they registered attacker-controlled devices for MFA, exfiltrated SharePoint and OneDrive data, and launched extortion campaigns. Okta confirmed customer accounts were compromised.
2. Storm-0558 and the Microsoft Signing Key Compromise (2023)
In mid-2023, a Chinese state-linked actor tracked as Storm-0558 gained access to Outlook Web Access and Exchange Online across dozens of organisations — including US government agencies — by compromising a Microsoft consumer signing key. The attacker forged OAuth tokens that appeared to have been signed by Microsoft's own Entra ID infrastructure.
How MFA failed: The forged tokens were cryptographically valid. Microsoft's own systems trusted them. No MFA prompt was triggered because, from the identity provider's perspective, the token had already been issued legitimately. The breach exposed a fundamental truth: if the signing key trust chain is compromised, every downstream MFA-dependent system becomes irrelevant.
3. EvilProxy, Tycoon, and the Industrialisation of AiTM Phishing (2024-2026)
Adversary-in-the-middle (AiTM) phishing has exploded. Kits like EvilProxy and Tycoon sit between the victim and the legitimate login page — Microsoft 365, Google Workspace, Okta — and capture both the password and the session token issued after successful MFA completion. The victim completes MFA. The attacker receives the token. The victim sees a legitimate-looking post-login redirect. Nobody notices until data is exfiltrated.
Obsidian Security reported that token theft accounted for 31% of Microsoft 365 breaches in 2025, surpassing traditional credential compromise. Nearly 40,000 AiTM incidents were detected daily across Microsoft environments — a 146% increase. The stolen token grants access without re-triggering MFA because the system treats it as an already-authenticated session. Password resets, MFA invalidation, and even account suspension (in some implementations) do nothing — the token survives until explicitly revoked.
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Three Defences Australian SMBs Can Deploy This Month
These are not enterprise-only controls. They work for five-person consultancies and 200-person manufacturers alike.
1. Help-Desk Verification Protocols (Stops Vishing Dead)
Scattered Spider and ShinyHunters succeeded because help desks trusted a voice on the phone. Implement a two-channel verification rule: no MFA reset, device enrolment, or password change over the phone without a second verification channel. Require a live video call where the person holds up photo ID, or use a pre-registered mobile number callback. If your IT support is outsourced, this rule must be contractual. Document every identity-reset event and flag any request that arrives outside business hours — that's when Mandiant observed most ShinyHunters-style activity.
2. Number Matching and Phishing-Resistant MFA (Kills AiTM)
Push-based MFA (tap "Approve" on your phone) and SMS codes are phishing-prone. Attackers can relay both. Implement number matching in Microsoft Authenticator: the user must type a two-digit number displayed on the login screen into their authenticator app. This breaks the AiTM relay because the attacker's proxy can't display the number in the victim's context without the victim noticing.
Even stronger: deploy FIDO2 security keys or passkeys. These are cryptographically bound to the login domain — a phishing proxy for login.microsoftonline.com cannot replay a FIDO2 assertion to the real service. Google's Advanced Protection Program and Microsoft's phishing-resistant MFA policies both support this at no additional licence cost for most M365 Business Premium tenants.
3. Session Token Monitoring and Admin Activity Alerting (Catches What Gets Through)
If a token is stolen, you need to detect its use, not its theft. Configure alerting for:
- Impossible travel: A session token used from Melbourne, then from Lagos within 10 minutes.
- Unfamiliar IP ranges or User-Agent strings: Attackers often use commodity VPS or residential proxy networks that differ from your normal patterns.
- Admin role assignment or privileged activity outside business hours: ShinyHunters actors registered MFA devices and created mailbox rules at 2:00 AM local time. Microsoft 365 Unified Audit Log and Entra ID sign-in logs surface this — but you must configure the alerts.
SaaS security posture management tools (many with free tiers for under 50 seats) automate this for Microsoft 365 and Google Workspace. The Australian Signals Directorate's Essential Eight explicitly calls for event logging and anomaly detection at Maturity Level 2 and above.
FAQ
Q: We already use Microsoft Authenticator. Isn't that enough?
Not if you're using simple push approval. Number matching is a separate configuration in the Authenticator app policy — turn it on in the Entra ID admin centre under Security > Authentication Methods. It takes ten minutes and closes the most common AiTM relay vector.
Q: We're a small business — why would anyone target us specifically?
Most identity attacks are automated and opportunistic. AiTM phishing kits don't care who you are; they deploy at scale against every harvested credential. ShinyHunters targeted cryptocurrency and tech firms, but their techniques work identically against any Microsoft 365 or Google Workspace tenant. Small businesses are targeted because they're undefended, not because they're high-profile.
Q: How do I verify my outsourced IT provider follows these protocols?
Ask them to document their help-desk identity verification process in writing. Request confirmation that number matching is enabled across all accounts, and that sign-in logs from unfamiliar locations generate alerts. If they can't answer within 24 hours, treat it as a gap. The ACSC's Small Business Cyber Security Guide recommends annual third-party reviews of managed service providers — at minimum.
Q: What if we can't afford hardware security keys?
Passkeys stored in your device's biometric enclave (Windows Hello, Apple Touch ID/Face ID, Android biometric) are phishing-resistant and free. Deploy them as the preferred method alongside number matching for fallback. The goal is removing push and SMS as primary MFA — start there.
Conclusion
The identity layer is the new perimeter, and it's under sustained assault. MFA bought years of protection, but the threat has evolved — attackers now target the gaps between authentication steps: the help desk, the signing key trust chain, and the session token. Australian SMBs that layer help-desk verification protocols, phishing-resistant MFA with number matching, and session token alerting close those gaps without enterprise-level budgets.
Every week without these controls is a week your MFA is theatre, not defence.
Next step: Visit consult.lil.business for a free 30-minute cybersecurity assessment tailored to Australian SMBs. Get your identity-layer controls reviewed before an attacker does it for you.
References
Token-Based Attacks: How Attackers Bypass MFA — Obsidian Security, February 2026
Identity is the New Perimeter — How Attackers Bypass MFA in 2026 — Security In 45
OAuth Token Theft: Why Your SSO and MFA Won't Save You — OpSec Forge, 2026
Inside an AI‑Enabled Device Code Phishing Campaign — Microsoft Security Blog, April 2026
Abusing Trust: OAuth, SSO, and Identity as the New Attack Surface — Cynox Security (Medium)
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- A website called CarGurus had 12.4 million customer records stolen and published online
- This happened because hackers found a way to break into their computer systems
- It teaches us that when we share information with companies, we're trusting them to keep it safe
- Businesses need to be careful about which companies they share customer data with
What Is a Data Breach?
Imagine you write a secret note and give it to a friend to keep safe. You trust your friend to hide it where nobody else can find it.
A data breach is like someone breaking into your friend's house and finding that secret note. Now your secret isn't secret anymore.
When businesses use computers to store customer information — things like names, addresses, phone numbers, and email addresses — they have to keep it safe from hackers. A data breach happens when hackers break in and steal that information.
What Happened at CarGurus?
CarGurus is a website where people go to buy and sell cars. It's like a big online car marketplace where millions of people search for vehicles, compare prices, and apply for loans.
In February 2026, a group of hackers called ShinyHunters broke into CarGurus' computer systems and stole information about 12.4 million customers [1]. That's more people than live in entire countries like Switzerland or Austria!
The stolen information included:
- Names
- Email addresses
- Phone numbers
- Home addresses
- Some financing information [2]
Then the hackers did something scary: they published all this information online, where anyone could see it.
Why This Matters for Your Business
If you run a business, you probably share customer information with other companies. Here are some examples:
- Payment processors like Stripe or PayPal handle credit card information
- Email marketing tools like Mailchimp store customer email addresses
- CRM software like Salesforce keeps customer contact details
- Industry platforms might share customer data with partners
When you share information with these companies, you're trusting them to keep it safe. If one of them gets hacked — like CarGurus did — your customers' information could be exposed too.
Think of it like lending your favorite book to a friend. If your friend leaves it on the bus and someone steals it, that's not your fault — but you've still lost your book.
The "Key Under the Mat" Problem
Imagine you hide a spare key to your house under the doormat in case you lock yourself out. It's convenient, but it also means anyone who finds that key can get inside.
Many businesses share customer information with lots of different companies because it's convenient. Each company is like another key under the mat. The more keys you have, the more chances someone has to find one and break in.
Here's why this is risky:
You can't control someone else's security. You might have excellent locks on your doors, but if you give a key to someone who leaves theirs under a flowerpot, your house still isn't secure.
You might not know when something goes wrong. If a company you work with gets hacked, you might not find out until weeks or months later.
Your customers trust you, not your vendors. When customers give you their information, they're trusting YOU to keep it safe — even if you end up sharing it with other companies.
How to Protect Your Customers
You can't eliminate all risk — doing business online means sharing information sometimes. But you CAN be smart about which companies you trust with customer data.
Choose Partners Carefully
Before sharing customer information with any company, ask yourself:
- Do they really need this information to do their job?
- What happens to the information when they're done with it?
- Have they had security problems before?
- Do they have security certifications (like SOC 2 or ISO 27001)?
Share Only What's Necessary
If a newsletter service only needs email addresses, don't give them phone numbers too. If a payment processor only needs billing addresses, don't give them customer birthdays.
Think of it like this: if you're hiring a dog walker, you give them a key to your house — but not the code to your safe. They only need access to what they're actually helping with.
Make a Plan Before Something Happens
Waiting until after a breach happens to figure out what to do is like waiting until your house catches fire to buy a smoke detector.
Have a plan ready:
- Which customers do we need to notify?
- What do we tell them?
- How do we help them protect themselves?
- Who is responsible for what?
What Your Customers Can Do
If your customers' data was exposed in a breach (like the CarGurus one), here's what they should do:
- Change their passwords — especially if they used the same password on multiple websites
- Enable two-factor authentication — this adds an extra layer of security, like requiring both a password and a code sent to their phone
- Watch for suspicious messages — hackers might use stolen information to send fake emails or texts pretending to be from real companies
- Check their credit reports — if financial information was stolen, they should look for any accounts or loans they didn't open
The Big Lesson
The CarGurus breach teaches us something important: when you share information with another company, their security becomes YOUR security problem.
You wouldn't hand your wallet to someone you don't know and walk away. So be careful about which companies you hand your customers' information to — and what information you share.
Because when something goes wrong, your customers will look to YOU, not the company you trusted.
FAQ
A data breach is when hackers break into a company's computer systems and steal information. It's like a burglar breaking into a house and stealing valuable items.
Hackers can use stolen information to pretend to be other people, access their accounts, or trick them into giving away more information (like passwords or bank details). They can also sell the information to other criminals.
Look for security certifications like SOC 2 or ISO 27001, ask about their security practices, and check if they've had breaches before. Companies that take security seriously will be happy to talk about it.
Change your passwords, enable two-factor authentication, watch for suspicious messages, and consider freezing your credit reports if financial information was exposed.
Not really — most businesses need to use some third-party services to operate. The goal is to choose carefully and share only what's necessary, not to eliminate all third parties.
References
[1] eSecurity Planet, "12.4 Million Accounts Exposed in CarGurus Leak," eSecurity Planet, March 2026. [Online]. Available: https://www.esecurityplanet.com/threats/12-4-million-accounts-exposed-in-cargurus-leak/
[2] Have I Been Pwned, "CarGurus Data Breach," Have I Been Pwned, 2026. [Online]. Available: https://haveibeenpwned.com/Breach/CarGurus
[3] BleepingComputer, "CarGurus Data Breach Exposes Information of 12.4 Million Accounts," BleepingComputer, March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cargurus-data-breach-exposes-information-of-124-million-accounts/
Choosing the right partners is part of protecting your customers. Book a consultation at consult.lil.business to build a security strategy that covers your entire business ecosystem.
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.