TL;DR

SMS-based MFA is broken. SIM-swapping and adversary-in-the-middle phishing kits like Evilginx and Tycoon can bypass it in seconds. This checklist walks Australian SMBs through upgrading to phishing-resistant MFA (FIDO2, passkeys, number matching) and deploying six conditional access policies that lock down Microsoft Entra ID and Google Workspace without needing an enterprise budget.​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

Why SMS and Phone-Call MFA Are No Longer Safe

For years, multi-factor authentication meant "enable SMS codes and move on." That era is over. Two attack methods have made SMS and voice-call MFA unreliable for any business handling sensitive data:

SIM swapping. An attacker convinces your telco to port your mobile number to a SIM card they control. Once the number transfers, every SMS code lands on their phone. In Australia, the ACSC has repeatedly warned that SIM-swapping attacks are rising, targeting businesses with valuable accounts — cloud admin portals, email, banking.​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​

‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌

Adversary-in-the-middle (AiTM) phishing. Tools like Evilginx 2 and Tycoon Phishing-as-a-Service create convincing proxy pages that sit between your staff and the real login screen. The employee enters their username, password, and MFA code on what looks like the legitimate site. The proxy forwards the credentials to the real service in real time, captures the session cookie, and the attacker walks in — no second factor needed. SMS codes, authenticator app prompts, and push notifications all fall to this attack because the attacker simply relays whatever the victim enters.

The ACSC's Essential Eight maturity model now recommends phishing-resistant MFA at Maturity Level 2. If your business handles anything sensitive — client data, financial systems, government contracts — SMS is a compliance gap, not a security control.

Phishing-Resistant MFA Options for SMBs

FIDO2 security keys (YubiKey 5 series). The gold standard. A physical USB or NFC key generates a cryptographic challenge-response tied to the specific domain. AiTM proxies cannot capture and replay this because the browser binds the authentication to the origin. Cost: around AUD 70–90 per key. Give every admin and high-privilege account one. Register a backup key and store it securely.

Passkeys (platform-built-in FIDO2). Windows Hello, Touch ID, Face ID, and Android fingerprint unlock can all act as FIDO2 authenticators. Passkeys sync across devices via the OS cloud (iCloud Keychain, Google Password Manager). This is the easiest path for staff — no hardware to lose, no app to install. Both Entra ID and Google Workspace support passkeys natively in 2026.

Microsoft Authenticator with number matching. If you are not ready for hardware keys, this is your baseline. Enable number matching in the Entra ID admin centre so that staff must type the number shown on screen into their phone. This defeats AiTM push-bombing because the attacker cannot see the number displayed on the victim's login page.

What to deprecate. Disable SMS, voice calls, and plain push notifications (without number matching) across all tenant accounts. Set this in your MFA policy — do not leave weaker methods available as fallbacks.

Conditional Access: Your Six-Policy Starter Pack

Conditional access evaluates every login attempt against rules you define before granting access. Think of it as a bouncer that checks ID, dress code, and the guest list simultaneously. Below is a six-policy starter pack covering both Entra ID and Google Workspace.

Policy 1: Block legacy authentication. Legacy protocols (IMAP, POP, SMTP basic auth, older Office desktop apps) do not support modern MFA. Attackers brute-force these endpoints endlessly. Block them entirely. In Entra ID: Conditional Access > New Policy > Conditions > Client apps > Legacy authentication. In Google Workspace: Security > Access and data control > Less secure apps > Disable.

Policy 2: Require MFA for all admin-role sign-ins. Every account with a privileged role — Global Admin, Security Admin, User Admin, or equivalent — must complete MFA at every sign-in. No exceptions, no remember-me exemptions longer than 24 hours.

Policy 3: Require compliant or managed devices. Only allow sign-ins from devices enrolled in your MDM (Intune, Google Endpoint Management). A compliant device has a PIN or biometric lock, disk encryption enabled, and an up-to-date OS. This stops attackers who phish credentials from an unmanaged device.

Policy 4: Geofence sign-in locations. If your team works from Australia and occasional overseas travel, create a policy that blocks sign-ins from countries you never do business with. Most Australian SMBs can safely block sign-ins from regions with high attack origination. Whitelist Australia and any countries where staff travel. Review quarterly.

Policy 5: Session timeout and re-authentication. Set maximum session lengths. For admin portals, force re-authentication every 4 hours. For regular user sessions, 12–24 hours is reasonable. In Entra ID, configure sign-in frequency under Session controls. In Google Workspace, set session duration under Security > Access and data control.

Policy 6: Block risky sign-ins automatically. Enable identity protection (Entra ID Identity Protection or Google Workspace login challenges). When the system detects impossible travel, unfamiliar IP ranges, or leaked credentials, automatically block the sign-in or require a phishing-resistant second factor. This is your safety net for the edge cases your static rules miss.

FAQ

Q: We only have five staff. Is conditional access overkill? A: No. Attackers do not discriminate by company size. Automated phishing campaigns target every Microsoft 365 and Google Workspace tenant equally. A five-person accounting firm with client tax file numbers is a high-value target.

Q: Do we need YubiKeys for every employee? A: Start with passkeys and Microsoft Authenticator with number matching. Reserve hardware keys for admin accounts and anyone handling financial or client-privileged data. You can phase in hardware keys over a quarter.

Q: What if a staff member loses their YubiKey? A: Register two keys per account — one primary, one backup stored in a locked drawer or safe. If both are lost, an admin can temporarily exempt the account while a new key is issued.

Q: How much does this cost for a small business? A: Conditional access policies require Microsoft 365 Business Premium (around AUD 33/user/month) or Google Workspace Business Plus (around AUD 18/user/month). YubiKeys are a one-time AUD 70–90 each. The cost of a single business email compromise is far higher.

Conclusion

MFA without conditional access is a locked door with the key under the mat. Upgrade from SMS to phishing-resistant authentication, deploy the six-policy starter pack, and you close the most common attack paths against Australian SMBs — without enterprise infrastructure or budget.

Visit consult.lil.business for a free cybersecurity assessment tailored to your business.

References

  1. ACSC Essential Eight Maturity Model
  2. Microsoft Entra ID Conditional Access Documentation
  3. NIST SP 800-63B Digital Identity Guidelines — Authentication and Lifecycle Management
  4. Google Workspace Security Best Practices

TL;DR

  • Some bad people use AI to pretend to be computer workers and get hired by companies
  • They use robot voices, fake photos, and computer-generated resumes
  • They don't actually do the work—they steal secrets
  • Companies need new ways to check if people are who they say they are

What's Happening?

Imagine this: Someone sends a job application to a company. They have a nice photo, a good resume, and they do great in the interview. The company hires them.

But there's a problem: That person doesn't really exist.

A group of bad people used AI (artificial intelligence) to create a fake person, trick the company, and get hired. Then they use their job to steal secrets and money.

This is happening RIGHT NOW with computer programming jobs.

Who's Doing This?

Microsoft (a really big computer company) found out that some people from North Korea are doing this [1]. They use special names:

  • Jasper Sleet
  • Coral Sleet (used to be called Storm-1877)

They're like teams of tricksters using computers to fake being workers.

How Do They Trick Companies?

Step 1: Creating a Fake Person

They use AI to make everything up:

  • Fake names - The computer suggests names that sound real
  • Fake photos - Computer-generated pictures that look like real people
  • Fake resumes - Computer-written work history that looks perfect for the job
  • Fake emails - Email addresses that match the fake name

It's like playing dress-up, but with computers instead of clothes.

Step 2: Tricking the Interview

When it's time for a video call, they use special tricks:

  • Robot voices - Computers that change their voice to sound like someone else
  • Chat helper - AI that helps them answer questions during the interview
  • Maybe pre-recorded videos - Sometimes they just play a video instead of talking live

The company thinks they're talking to a real person. But they're actually talking to a trickster using computer tools.

Step 3: Getting Hired (and Stealing)

Once they're "hired":

  • They get paid salary money (which goes to the bad people)
  • ️ They get access to company computers and secrets
  • They steal important information
  • They sell passwords or secrets to other bad people

They might do a little work—using AI to help them write computer code so they don't get caught. But the real goal is stealing, not working. [1]

Why Can't Companies Tell They're Fake?

Good question! Here's why regular background checks don't work:

  • Background check passes - Fake people have no criminal history because they don't exist!
  • References check - Fake references from computer-made people
  • Skills test passes - AI helps them answer technical questions
  • Looks normal on video - Computer voices and fake photos look real

It's like a really, really good costume.

Signs Someone Might Be Fake

Microsoft found some clues that can give away fake workers [1]:

Weird Things in Their Computer Code

  • Using emojis as checkmarks () inside code
  • Writing comments that sound like they're explaining themselves too much
  • Using way too many complicated words for simple things
  • Code that's more complicated than it needs to be

Weird Things About Their "Life"

  • Hardly any photos or posts on social media before a certain date
  • The same face shows up with slightly different names
  • Jobs or schools that are hard to check really exist
  • Generic stories that could be about anyone

Weird Things When Working

  • Working at strange hours
  • Asking for access to things they don't really need
  • Moving files around for no clear reason
  • Doing very little real work

How Companies Can Stay Safe

Good companies are fighting back with new rules:

Better Checking

  • Multiple video calls - Not just one interview, but lots of talking
  • Real work tests - Watch them actually do work, not just answer questions
  • Meeting in person - Sometimes you just have to see someone face-to-face
  • Checking their whole internet life - Seeing if they exist in more than one place online

Watching for Weird Stuff

  • Strange computer access - Looking at files they shouldn't need
  • Weird hours - Working at 3am when nobody else is awake
  • Moving data around - Sending files to places they shouldn't go

Being Extra Careful

  • Not giving too much power - Only giving access to what they really need
  • Checking on contractors too - Not just full-time workers, but anyone with access
  • Using computers to watch computers - AI helpers that look for fake workers

What Does This Mean for Us?

This might sound scary, but here's the good news:

Smart people are figuring this out - Companies like Microsoft are finding these tricks Better rules are being made - New ways to check if people are real Good AI is fighting bad AI - Using computer helpers to catch the tricksters

And for us regular people:

  • Learn about internet safety - Knowing tricks helps you avoid them
  • Build real relationships - Fake people can't do friendship or teamwork well
  • Ask questions - If something seems weird, it's okay to ask why

FAQ for Curious Kids

They try! But the fake people are really good at tricking. It's like when someone wears a really good Halloween costume—you can't tell who's underneath until they take it off.

Yes! Microsoft found thousands of fake accounts and stopped them [1]. But the bad people keep trying new tricks.

Maybe. That's why companies are being extra careful now. It's like locking doors—not because you expect burglars, but because you want to be safe.

No, AI is just a tool. Think of it like a hammer. You can use a hammer to build a birdhouse OR break a window. AI can help bad people do bad things, but it also helps good people catch them!

TELL A GROWNUP. Don't try to figure it out yourself. If someone online seems weird or too good to be true, that's a grownup problem to solve.

Remember

The internet has good people and bad people, just like the real world. The difference is:

  • Real world - You can see people's faces
  • Online world - People can hide who they really are

That's why we need to be extra careful and use smart rules to stay safe. ️

Want to learn more about staying safe online? Ask your parents or teachers about internet safety, or check out resources from CISA—they're the experts on keeping computers safe!

Sources

  1. Microsoft Security Blog. "AI as tradecraft: How threat actors operationalize AI." https://www.microsoft.com/en-us/security/blog/2026/03/06/ai-as-tradecraft-how-threat-actors-operationalize-ai/

  2. Microsoft Security Blog. "Jasper Sleet: North Korean remote IT workers' evolving tactics to infiltrate organizations." https://www.microsoft.com/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/

  3. CISA. "Cybersecurity for Kids." https://www.cisa.gov/news-events/news/cisa-launches-cybersecurity-awareness-month-kids

  4. FBI. "North Korean IT Workers Warning." https://www.fbi.gov/ic3/alertr/north-korean

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation