TL;DR

MFA alone no longer stops determined attackers. Throughout 2025 and early 2026, threat groups including ShinyHunters, Scattered Spider, and state-linked actors have bypassed multi-factor authentication using vishing, adversary-in-the-middle phishing, and OAuth token theft — targeting SaaS platforms, identity providers, and cloud consoles. Australian SMBs relying on push-based MFA without additional identity-layer controls are the softest target. Three practical defences — help-desk verification protocols, phishing-resistant MFA with number matching, and session token monitoring — close the gaps attackers are exploiting right now.

The Identity Breach Era: Why 2025-2026 Changed Everything

For years, the cybersecurity industry told small businesses one thing: turn on MFA and you're safe. That advice is now dangerously incomplete. From the casino floors of Las Vegas to the Microsoft 365 tenants of mid-market Australian firms, attackers have demonstrated — repeatedly — that MFA is a speed bump, not a wall.

Between 2023 and early 2026, a series of high-impact identity-layer breaches rewrote the threat landscape. The common thread: attackers didn't break encryption or crack passwords. They manipulated trust chains — the human and technical assumptions that sit between authentication steps. For Australian SMBs running Microsoft 365, Google Workspace, or SaaS-heavy stacks, these tactics are being deployed at scale right now.

Three Breaches That Redefined the Identity Threat

1. Scattered Spider and the Help-Desk Kill Chain (2023, Still Active)

In September 2023, the ALPHV/BlackCat ransomware gang — working with a loosely organised social-engineering collective known as Scattered Spider — breached MGM Resorts and Caesars Entertainment. The attack didn't start with malware. It started with a phone call.

Attackers researched employees on LinkedIn, called the internal IT help desk, impersonated those employees, and convinced support staff to reset MFA tokens and enrol new devices. Once inside the Okta environment, they moved laterally into financial systems and guest services. MGM estimated losses of over $100 million. Caesars reportedly paid a $15 million ransom.

How MFA failed: The help desk was the MFA bypass. No credential was stolen — just trust was exploited. This technique, known as vishing (voice phishing), remains the most reliable way into an otherwise well-defended identity environment.

Mandiant's January 2026 disclosure of new ShinyHunters activity (tracked as UNC6661 and UNC6671) confirmed this pattern is accelerating. Attackers posed as IT staff, directed employees to credential-harvesting sites styled to match the victim's own company, and captured both SSO credentials and one-time MFA codes in real time. Once armed with valid sessions, they registered attacker-controlled devices for MFA, exfiltrated SharePoint and OneDrive data, and launched extortion campaigns. Okta confirmed customer accounts were compromised.

2. Storm-0558 and the Microsoft Signing Key Compromise (2023)

In mid-2023, a Chinese state-linked actor tracked as Storm-0558 gained access to Outlook Web Access and Exchange Online across dozens of organisations — including US government agencies — by compromising a Microsoft consumer signing key. The attacker forged OAuth tokens that appeared to have been signed by Microsoft's own Entra ID infrastructure.

How MFA failed: The forged tokens were cryptographically valid. Microsoft's own systems trusted them. No MFA prompt was triggered because, from the identity provider's perspective, the token had already been issued legitimately. The breach exposed a fundamental truth: if the signing key trust chain is compromised, every downstream MFA-dependent system becomes irrelevant.

3. EvilProxy, Tycoon, and the Industrialisation of AiTM Phishing (2024-2026)

Adversary-in-the-middle (AiTM) phishing has exploded. Kits like EvilProxy and Tycoon sit between the victim and the legitimate login page — Microsoft 365, Google Workspace, Okta — and capture both the password and the session token issued after successful MFA completion. The victim completes MFA. The attacker receives the token. The victim sees a legitimate-looking post-login redirect. Nobody notices until data is exfiltrated.

Obsidian Security reported that token theft accounted for 31% of Microsoft 365 breaches in 2025, surpassing traditional credential compromise. Nearly 40,000 AiTM incidents were detected daily across Microsoft environments — a 146% increase. The stolen token grants access without re-triggering MFA because the system treats it as an already-authenticated session. Password resets, MFA invalidation, and even account suspension (in some implementations) do nothing — the token survives until explicitly revoked.

Three Defences Australian SMBs Can Deploy This Month

These are not enterprise-only controls. They work for five-person consultancies and 200-person manufacturers alike.

1. Help-Desk Verification Protocols (Stops Vishing Dead)

Scattered Spider and ShinyHunters succeeded because help desks trusted a voice on the phone. Implement a two-channel verification rule: no MFA reset, device enrolment, or password change over the phone without a second verification channel. Require a live video call where the person holds up photo ID, or use a pre-registered mobile number callback. If your IT support is outsourced, this rule must be contractual. Document every identity-reset event and flag any request that arrives outside business hours — that's when Mandiant observed most ShinyHunters-style activity.

2. Number Matching and Phishing-Resistant MFA (Kills AiTM)

Push-based MFA (tap "Approve" on your phone) and SMS codes are phishing-prone. Attackers can relay both. Implement number matching in Microsoft Authenticator: the user must type a two-digit number displayed on the login screen into their authenticator app. This breaks the AiTM relay because the attacker's proxy can't display the number in the victim's context without the victim noticing.

Even stronger: deploy FIDO2 security keys or passkeys. These are cryptographically bound to the login domain — a phishing proxy for login.microsoftonline.com cannot replay a FIDO2 assertion to the real service. Google's Advanced Protection Program and Microsoft's phishing-resistant MFA policies both support this at no additional licence cost for most M365 Business Premium tenants.

3. Session Token Monitoring and Admin Activity Alerting (Catches What Gets Through)

If a token is stolen, you need to detect its use, not its theft. Configure alerting for:

  • Impossible travel: A session token used from Melbourne, then from Lagos within 10 minutes.
  • Unfamiliar IP ranges or User-Agent strings: Attackers often use commodity VPS or residential proxy networks that differ from your normal patterns.
  • Admin role assignment or privileged activity outside business hours: ShinyHunters actors registered MFA devices and created mailbox rules at 2:00 AM local time. Microsoft 365 Unified Audit Log and Entra ID sign-in logs surface this — but you must configure the alerts.

SaaS security posture management tools (many with free tiers for under 50 seats) automate this for Microsoft 365 and Google Workspace. The Australian Signals Directorate's Essential Eight explicitly calls for event logging and anomaly detection at Maturity Level 2 and above.

FAQ

Q: We already use Microsoft Authenticator. Isn't that enough?

Not if you're using simple push approval. Number matching is a separate configuration in the Authenticator app policy — turn it on in the Entra ID admin centre under Security > Authentication Methods. It takes ten minutes and closes the most common AiTM relay vector.

Q: We're a small business — why would anyone target us specifically?

Most identity attacks are automated and opportunistic. AiTM phishing kits don't care who you are; they deploy at scale against every harvested credential. ShinyHunters targeted cryptocurrency and tech firms, but their techniques work identically against any Microsoft 365 or Google Workspace tenant. Small businesses are targeted because they're undefended, not because they're high-profile.

Q: How do I verify my outsourced IT provider follows these protocols?

Ask them to document their help-desk identity verification process in writing. Request confirmation that number matching is enabled across all accounts, and that sign-in logs from unfamiliar locations generate alerts. If they can't answer within 24 hours, treat it as a gap. The ACSC's Small Business Cyber Security Guide recommends annual third-party reviews of managed service providers — at minimum.

Q: What if we can't afford hardware security keys?

Passkeys stored in your device's biometric enclave (Windows Hello, Apple Touch ID/Face ID, Android biometric) are phishing-resistant and free. Deploy them as the preferred method alongside number matching for fallback. The goal is removing push and SMS as primary MFA — start there.

Conclusion

The identity layer is the new perimeter, and it's under sustained assault. MFA bought years of protection, but the threat has evolved — attackers now target the gaps between authentication steps: the help desk, the signing key trust chain, and the session token. Australian SMBs that layer help-desk verification protocols, phishing-resistant MFA with number matching, and session token alerting close those gaps without enterprise-level budgets.

Every week without these controls is a week your MFA is theatre, not defence.

Next step: Visit consult.lil.business for a free 30-minute cybersecurity assessment tailored to Australian SMBs. Get your identity-layer controls reviewed before an attacker does it for you.

References

  1. Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms — The Hacker News, January 2026

  2. Token-Based Attacks: How Attackers Bypass MFA — Obsidian Security, February 2026

  3. Identity is the New Perimeter — How Attackers Bypass MFA in 2026 — Security In 45

  4. OAuth Token Theft: Why Your SSO and MFA Won't Save You — OpSec Forge, 2026

  5. Inside an AI‑Enabled Device Code Phishing Campaign — Microsoft Security Blog, April 2026

  6. Abusing Trust: OAuth, SSO, and Identity as the New Attack Surface — Cynox Security (Medium)

Your Business Lock Just Got Picked — And Your Alarm Code Didn't Help

Explained Like You're 10

TL;DR

  • Hackers have figured out how to let you unlock your own door — and then sneak in behind you, even with a two-step security code
  • A new report found that criminals spend an average of 68 days hiding inside a business's systems before being caught [1]
  • There are three simple improvements that close these gaps — and most businesses can start today

Your Digital Front Door Has a New Problem

Imagine you have a house with a really good lock. To get in, you need both a key and a secret code you get on your phone. This is basically what "multi-factor authentication" (MFA) is — two things to prove it's really you.

For years, that was great protection. But criminals figured out a clever trick.

The trick: They set up a fake copy of your front door, right in front of the real one. When you unlock the real door and enter your code, they're watching — and they quickly grab an invisible copy of your "this person is already inside" wristband before you even notice. Then they walk into your real house using that copy wristband, even though they never had your key or your code.

That's what security experts call an adversary-in-the-middle attack. Your alarm code still worked. You did everything right. They got in anyway.

What's Actually Happening Out There

A company called CyberCX looked at more than 100 real cyberattacks they helped businesses recover from in 2025 [1]. Here's what they found:

Criminals are hiding for almost 3 months. The average time between "criminal gets in" and "business notices something is wrong" was 68 days in 2025 — up from 24 days the year before. That's like having an uninvited guest living in your attic for two months while you go about your normal life.

Money-focused criminals are the biggest threat. Almost 6 out of every 10 attacks were by people just trying to steal money — not governments, not spies, just criminals treating your business like a piggy bank.

Banks and finance companies are now #1 target. About 1 in every 5 attacks CyberCX responded to hit a financial or insurance business. That's because wherever money data lives, criminals follow.

What Criminals Do With 68 Days of Hiding

This is the part most people don't think about.

If a criminal gets into your business systems and you don't notice for 68 days, they're not just sitting there doing nothing. Think of it like a very patient burglar who got into your shop after closing:

  • Week 1-2: They're quietly exploring. Finding where you keep the valuables, mapping out every room.
  • Week 3-6: They're copying files. Customer records. Financial data. Staff details.
  • Week 7-10: They're setting up ways to stay even if you change the locks.

Then on day 68 — or whenever they feel ready — they flip the switch. They lock you out of your own systems and demand payment to let you back in. And they tell you they've also made a copy of everything they found, and they'll publish it publicly unless you pay extra.

This is called cyber extortion, and according to CyberCX, it's now the most common type of cyberattack businesses face [1].

The 3 Things That Actually Fix This

Think of these as three overlapping safety nets. Each one stops a different part of the attack.

Safety Net 1: Better Passwords (Stop Them Getting In)

The most common way criminals get their initial access is through stolen passwords — often ones leaked from a completely different website you signed up to years ago. They try that same password on your business email, and it works.

What to do:

  • Use a password manager (like Bitwarden — free, or the one built into your iPhone/Android) so every account has a unique, random password
  • If you're a Microsoft 365 business, check if your admin account has "Entra ID" breach alerts turned on
  • This one change closes the door for most entry attempts

Safety Net 2: The Right Kind of Two-Factor Login (Stop Them Faking You)

Not all two-step logins are equal. The old style (a code sent to your phone) can be intercepted by the wristband trick we described earlier. The new style, called passkeys or FIDO2, can't be copied — it's mathematically tied to the exact website you're logging into, so a fake site can never get a usable copy.

What to do:

  • Turn on passkeys for your most important accounts (Google, Microsoft, and major banks all support them now)
  • For accounts that don't support passkeys yet, use an app-based authenticator (Microsoft Authenticator or Google Authenticator) rather than SMS codes
  • Budget $30–80 per hardware security key if you have staff who access sensitive admin systems

Safety Net 3: Watch for Weird Behaviour (Catch Them If They Sneak In)

Even if a criminal gets past the first two nets, you can still catch them because they'll behave differently to your normal staff.

What to do:

  • In Microsoft 365 or Google Workspace, look in your admin panel for "sign-in risk alerts" or "suspicious activity" — these are often already turned on, just not being checked
  • Set up a rule that blocks logins from countries you don't do business in
  • Once a month, spend 10 minutes looking at your admin account's recent login history — an unexpected location or 3am login is a red flag

What This Saves You

The average cost of recovering from a cyber extortion attack for a small business runs into the hundreds of thousands of dollars — forensics, legal fees, staff overtime, lost customers, and sometimes the ransom itself [6].

The three safety nets above? They can be set up in stages. The first one (password manager) is free. The second (passkeys) costs nothing for consumer-grade accounts. The third (monitoring) is already included in most business Microsoft 365 or Google Workspace subscriptions — you just have to turn it on.

A fitness trainer doesn't make you weak — they make you harder to knock over. That's exactly what this does for your business. You keep running, your clients stay protected, and criminals move on to easier targets.

FAQ

Yes, absolutely — it still stops the vast majority of attacks. The wristband trick we described requires a lot of extra effort by the attacker. MFA is still an important layer. The point is that it should not be your only layer, and where possible, upgrading to passkeys is worth it.

Most attacks are automated — criminals run software that scans millions of businesses at once looking for open doors. They're not targeting you specifically; they're targeting anyone who hasn't locked their door. Small businesses often have less protection, which ironically makes them more common targets, not less [2].

Cyber extortion is when a criminal gets into your systems, locks you out, and demands payment — like changing the locks on your own business and leaving a note saying "pay us to get the key back." Modern versions add a threat to publish your confidential data publicly if you don't pay.

Visit haveibeenpwned.com and enter your business email addresses. If they appear in known breaches, change those passwords immediately. For ongoing monitoring, check if your Microsoft 365 subscription includes dark web credential alerts.

Open your password manager (or download a free one like Bitwarden), change your business email and banking passwords to unique randomly-generated ones, and turn on an authenticator app. This takes about 20 minutes and closes the single biggest door criminals use.

References

[1] CyberCX, "CyberCX 2026 Threat Report," CyberCX, Mar. 2026. [Online]. Available: https://cybercx.com.au/resources/

[2] Australian Signals Directorate, "ASD Annual Cyber Threat Report 2023-24," Australian Signals Directorate, 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/asd-cyber-threat-report-july-2023-june-2024

[3] CISA, "Implementing Phishing-Resistant MFA," Cybersecurity and Infrastructure Security Agency, 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/phishing-resistant-mfa

[4] The Hacker News, "Starkiller Phishing Suite Uses AiTM Reverse Proxy to Bypass MFA," The Hacker News, Mar. 2026. [Online]. Available: https://thehackernews.com/2026/03/starkiller-phishing-suite-uses-aitm.html

[5] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] SecurityBrief Australia, "Cyber extortion tops 2025 attacks as AI risks escalate," SecurityBrief AU, Mar. 3, 2026. [Online]. Available: https://securitybrief.com.au/story/cyber-extortion-tops-2025-attacks-as-ai-risks-escalate

[8] Microsoft, "Microsoft Digital Defense Report 2025," Microsoft Security, 2025. [Online]. Available: https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025

Not sure if your business authentication is actually secure? Book a free 30-minute security review with lilMONSTER and we'll check your setup together — plain English, no jargon, no sales pitch.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation