TL;DR
SMS and phone-call MFA are broken — SIM swap attacks and adversary-in-the-middle phishing kits like Evilginx and Tycoon can bypass them trivially. Australian SMBs need phishing-resistant MFA (FIDO2, passkeys, number matching) backed by conditional access policies that block legacy auth, enforce compliant devices, geofence logins, and require re-authentication for admin actions. This post gives you a 6-policy starter pack you can implement today.
Why SMS and Phone-Call MFA No Longer Cut It
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Multi-factor authentication has been the default advice for years. "Turn on MFA" appears on every government checklist. The problem is that not all MFA is equal, and the kind most SMBs deployed first — SMS codes and phone calls — is now actively exploited at scale.
SIM swap attacks let an attacker port your mobile number to a SIM card they control. Once that happens, your SMS codes flow to their phone, not yours. In Australia, the ACCC's Targeting Scams report documented millions in losses from credential theft where SMS-based MFA was the assumed safeguard.
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →More dangerous still are adversary-in-the-middle (AiTM) phishing kits. Tools like Evilginx and Tycoon sit between the user and the real login page. The user enters their username, password, and their SMS code. The proxy forwards everything to the real IdP in real time, logs the user in legitimately, and steals the session cookie. The attacker now has a valid session — no need for the password or the code again. The MFA did exactly what it was supposed to, and it didn't matter.
The Australian Cyber Security Centre (ACSC) has updated its guidance to recommend phishing-resistant MFA as the baseline. If your SMB still relies on SMS or phone calls for any account — especially admin accounts — you are running a known-broken control.
Phishing-Resistant MFA Options That Actually Work
FIDO2 security keys (YubiKey 5 series, Feitian). The gold standard. The authentication is bound to the specific domain the user is logging into. An AiTM proxy cannot replay the assertion because the origin won't match. No SMS to intercept, no code to phish. Cost: roughly $80–120 per key per user. Issue two per person — one primary, one backup in the safe.
Passkeys (built into Windows Hello, macOS Touch ID, Android, iOS). Same FIDO2 protocol under the hood, but the credential lives on the user's device (or syncs via their cloud account). No hardware to buy. Microsoft Entra ID and Google Workspace both support passkeys natively in 2026. This is the fastest rollout path for SMBs that don't want to buy physical keys.
Microsoft Authenticator with number matching. If you're on Entra ID and not ready for FIDO2, enable number matching in the Authenticator app settings. This defeats basic AiTM phishing because the user must type the number shown on the login screen into their app — a proxy cannot relay that challenge automatically. It's not as strong as FIDO2, but it's a significant step up from push-approve-without-context.
Recommendation: Start with passkeys for all users. Deploy FIDO2 keys for IT admins and anyone with privileged access. Turn off SMS and voice call as MFA methods entirely.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →Conditional Access: The Policies That Make MFA Actually Work
MFA alone is a binary gate. Conditional access turns it into a risk engine. Both Entra ID (included with Microsoft 365 Business Premium) and Google Workspace (Enterprise editions) support conditional access policies that evaluate login context — device state, location, client app, risk score — before granting access.
Here is a 6-policy starter pack every Australian SMB should deploy:
Policy 1: Block Legacy Authentication
Legacy protocols (IMAP, POP, SMTP AUTH, older Office desktop apps) don't support modern MFA. Attackers brute-force these endpoints with credential stuffing. Block them completely. In Entra ID: Conditional Access > New Policy > Client apps > select "Exchange ActiveSync clients" and "Other clients." In Google Workspace: Apps > Google Workspace > Settings for Gmail > End User Access > disable "Allow less secure apps."
Policy 2: Require MFA for Every Admin Role
Every account with a privileged role — Global Admin, Exchange Admin, SharePoint Admin, Security Admin — must require MFA at every login, no exceptions. No "remember MFA for 60 days" for these accounts. In Entra ID, target the policy at directory roles rather than individual users.
Policy 3: Require Compliant or Managed Devices
Only allow access from devices enrolled in your MDM (Intune, Google Endpoint Management). This stops attackers who phish credentials from logging in on their own unmanaged laptop. In Entra ID: Condition > Device platforms > require "Device to be marked as compliant." In Google Workspace: Device Management > Context-Aware Access > device policy rules.
Policy 4: Geofence to Australia (and Specific Countries You Operate In)
If your team works from Australia and occasionally New Zealand or Southeast Asia, block logins from everywhere else. Nigerian IPs have no business accessing your Entra ID tenant. In Entra ID: Condition > Locations > select your named locations, then set the policy to block access from any location not in the list.
Policy 5: Session Timeout and Re-authentication
Set session token lifetimes to force re-authentication. For admin portals, require re-authentication every 4 hours. For regular user sessions, 12–24 hours is reasonable. In Entra ID: Session > Sign-in frequency > set to 4 hours for admin-targeted policies. In Google Workspace: Session controls via Context-Aware Access.
Policy 6: Block High-Risk Sign-ins
Entra ID Identity Protection (included in Business Premium) assigns risk scores to sign-ins based on anomalous patterns — impossible travel, unfamiliar IP, leaked credentials. Configure a policy to block sign-ins rated "High risk" and require MFA for "Medium risk." This catches attacks your other policies miss.
FAQ
Do I need Microsoft 365 Business Premium for conditional access? Yes. Standard Business and Business Basic do not include Conditional Access. Business Premium is roughly $36 AUD per user/month and includes Intune, Conditional Access, and Identity Protection. It's the single best security investment an SMB on Microsoft 365 can make.
What about staff who travel overseas? Geofencing doesn't mean you block travel. Create a named location for countries your team visits, or use exclusion groups. When someone travels to a new region, add them to the exclusion group temporarily. Alternatively, rely on the device compliance + MFA policies as your primary control and make geofencing a secondary signal.
Is Google Workspace conditional access as capable as Entra ID? Google's Context-Aware Access covers device posture, IP range, and geography. It's available on Enterprise Standard and above. It doesn't have Entra ID's risk-scored sign-in detection, but combined with Google's built-in phishing detection and passkey support, it provides strong coverage for Workspace-first organisations.
How do I roll this out without locking everyone out? Deploy in report-only mode first. Every policy has a "Report-only" toggle in Entra ID that logs what would have been blocked without actually blocking it. Run that for a week, review the logs, then flip to "On." For Google Workspace, test with a small OU before applying organisation-wide.
Conclusion
MFA without conditional access is a locked front door with the window wide open. Australian SMBs face the same adversary-in-the-middle tooling as enterprise targets — the phishing kits don't check your company size before they strike. Deploy phishing-resistant MFA, implement the 6-policy starter pack, and validate with report-only mode before enforcement.
Visit consult.lil.business for a free cybersecurity assessment tailored to your Australian SMB.
References
- ACSC — Multi-Factor Authentication Guidance
- NIST SP 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management
- Microsoft — Configure Authentication Methods Policy in Entra ID
- ACCC — Targeting Scams: Report on Scam Activity in Australia
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →ELI10: There's a Master Key That Unlocks Business Computers
Explained Like You're 10 — by lilMONSTER at lil.business
Imagine your IT person has a special master key that lets them unlock any computer in your office from anywhere in the world. That key is how they fix problems, install software, and keep everything running — even when they're working from home.
Now imagine someone figured out that your master key has a secret flaw. With just a little trick, anyone on the internet can copy your master key — without ever meeting your IT person, without knowing any passwords, without knocking on your door.
That is exactly what CVE-2026-1731 is.
The Flaw, in Plain Language
A popular IT tool called BeyondTrust Remote Support — used by IT teams and IT providers to manage computers remotely — had a bug discovered this month. Security researchers found that if you sent it a cleverly written message, it would run any command you told it to run. No login. No password. No permission needed.
Think of it like a vending machine that's supposed to only accept coins — but someone discovered that if you shake it just right, it gives you everything inside for free. Except instead of snacks, it's handing over your entire computer network.
The flaw got a score of 9.9 out of 10 for severity. That's basically as serious as it gets.
Who Found Out First?
A security research team called Hacktron AI found the flaw and told BeyondTrust about it on January 31, 2026. BeyondTrust quietly released a fix on February 6. But by February 10, someone had figured out the same trick and posted instructions online for everyone to see.
Within 24 hours, attackers were using those instructions to break into unpatched systems. A U.S. government agency called CISA — America's top cybersecurity watchdog — ordered all government offices to fix it within three days.
Does This Affect Your Business?
If your IT team or IT provider uses BeyondTrust Remote Support to manage your computers, you need to ask one question: "Have you applied the BT26-02 patch?"
- If you use the cloud version: you're already fixed. Nothing to do.
- If you use the installed-on-a-server version: you need to patch it manually, right now.
Not sure which one you have? Ask your IT person or provider. If they don't know, that's also important information.
What You Can Do Today
- Ask your IT team or MSP: "Do we use BeyondTrust? Is it patched against CVE-2026-1731?"
- Get a straight answer: They should know immediately. If they're unsure, push for a same-day answer.
- Check your logs: If you've been running an unpatched version and someone connected to it in the last week, flag it for investigation.
The Bigger Picture
This isn't the first time BeyondTrust has been in the news. Two years ago, a Chinese hacking group used a different flaw in the same product to break into the U.S. Treasury. This tool is a high-value target precisely because it's designed to have access to everything.
That's not a reason to panic. It's a reason to patch.
lil.business helps Australian small businesses check, patch, and secure their remote access tools — without the confusing jargon. Book a free 30-minute consultation and make sure your IT setup isn't a door left wide open.
TL;DR
- Explained Like You're 10 — by lilMONSTER at lil.business Imagine your IT person has a special master key that lets t
- Now imagine someone figured out that your master key has a secret flaw. With just a little trick, *anyone on the interne
- Action required — see the post for details
FAQ
Q: What is the main security concern covered in this post? A:
Q: Who is affected by this? A:
Q: What should I do right now? A:
Q: Is there a workaround if I can't patch immediately? A:
Q: Where can I learn more? A:
References
[1] NIST National Vulnerability Database, "CVE-2026-1731: BeyondTrust Privileged Remote Access Authentication Bypass," NVD, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-1731
[2] CISA, "Known Exploited Vulnerabilities Catalog: BeyondTrust Privileged Remote Access," Cybersecurity and Infrastructure Security Agency, 2026. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3] BeyondTrust, "Security Advisory: Critical Authentication Bypass in Privileged Remote Access (CVE-2026-1731)," BeyondTrust Security Advisories, 2026. [Online]. Available: https://www.beyondtrust.com/security-advisories
[4] ASD ACSC, "Patch Management Best Practices for Critical Vulnerabilities in Remote Access Tools," Australian Signals Directorate, Australian Cyber Security Centre, 2025. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/patch-management
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.