TL;DR

If you are still relying on SMS or phone-call MFA to protect your business accounts, you are operating with a false sense of security. Modern attack toolkits like Evilginx and Tycoon bypass these methods with commodity phishing kits that cost less than $300 a month. This post walks through why legacy MFA fails, which phishing-resistant alternatives to implement, and the six conditional access policies every Australian SMB should deploy in Microsoft Entra ID or Google Workspace this week.​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why Your MFA Is Already Broken

Most Australian small businesses implemented multi-factor authentication between 2020 and 2022 and considered the job done. The problem: the threat model has shifted dramatically since then, and the SMS codes or phone calls you deployed are no longer a meaningful barrier to a motivated attacker.

Three attack vectors have rendered legacy MFA obsolete:​‌‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

SIM swapping conti

nues to plague Australian mobile carriers. An attacker socially engineers a telco support desk, ports your number to their SIM, and receives every MFA code sent to your phone. The Australian Signals Directorate (ASD) has tracked a steady increase in SIM-swap-enabled account takeovers targeting business owners specifically, because compromising the owner's account unlocks invoice fraud, payroll redirection, and bank transfer authorisation.

Adversary-in-the-middle (AitM) phishing kits have commoditised what was once a nation-state capability. Tools such as Evilginx, Tycoon 2FA, and Modlishka sit between your user and the real Microsoft or Google login page. When your employee enters their password and SMS code, the proxy captures both in real time — along with the session cookie — and replays them to the legitimate service. The attacker is now authenticated with a valid session token. The user sees no indication anything went wrong.

MFA fatigue and push bombing exploit the human in the loop. Attackers trigger repeated push notifications to a target's authenticator app until the user, frustrated or confused, taps "Approve." In 2024 a major Australian managed service provider lost control of their entire client tenant after an exhausted director approved a push notification at 11:47 PM.

The ACSC's Essential Eight maturity model explicitly calls for phishing-resistant MFA at Maturity Level 3. If your business handles sensitive client data, financial transactions, or personally identifiable information, legacy MFA is a compliance gap, not just a security gap.

Phishing-Resistant MFA: What Actually Works

The FIDO Alliance and NIST SP 800-63B define phishing-resistant authentication as methods that are cryptographically bound to the legitimate relying party — meaning a proxy cannot intercept and replay the credential. Three options are practical for SMBs today:

FIDO2 security keys (Yubikey, Feitian, Google Titan). A physical USB-A, USB-C, or NFC key that signs a cryptographic challenge tied to the specific domain being accessed. Even if an AitM proxy captures the response, it is worthless for replay against the real service because the challenge is domain-bound. Cost is roughly $50–$90 per key. Every admin account and every finance team member should have one. Two keys per person: one for daily use, one stored securely as a backup.

Passkeys (platform-native FIDO2). Stored in your device's secure enclave — Apple Touch ID, Windows Hello, or Android biometric — and synchronised across your ecosystem via iCloud Keychain or Google Password Manager. Passkeys eliminate the physical token cost and are vastly more resistant to remote phishing than any code-based method. Microsoft, Google, and most major SaaS platforms now support passkeys natively.

Microsoft Authenticator with number matching. A middle ground. Instead of a simple "Approve/Deny" push, the user must type a two-digit number displayed on the login screen into their authenticator app. This breaks AitM attacks because the user sees the login context (location, application) and must actively match the number. It also eliminates push-bombing fatigue attacks because there is no button to blindly tap. Number matching is free with Entra ID and takes five minutes to enable in the Authentication Methods policy.

What to retire: SMS codes, voice calls, and simple push notifications without number matching or additional context. If your current MFA method can be phished by a $200-a-month SaaS tool, it is not MFA — it is theatre.

Conditional Access: The Policy Layer MFA Needed

MFA verifies who is logging in. Conditional access verifies should they be, from where, and with what. It is the policy engine that turns authentication from a single checkpoint into a continuous enforcement layer.

For Australian SMBs on Microsoft 365 Business Premium (which includes Entra ID P1) or Google Workspace Business Plus, conditional access is included in the licence you already pay for. Most businesses have never configured it.

Here is what conditional access evaluates in real time before granting access:

  • User risk and sign-in risk (Entra ID Protection): Has this user's behaviour deviated from their baseline? Is the sign-in from an anonymous IP, a tor exit node, or a location inconsistent with their typical pattern?
  • Device compliance: Is this device enrolled in Intune or Google endpoint management? Does it have disk encryption enabled? Is the OS patched?
  • Geolocation: Is this sign-in originating from a country your business does not operate in?
  • Application sensitivity: Is the user accessing email, or are they changing a global admin setting?
  • Authentication strength: Did they use a phishing-resistant method, or just a password and SMS?

If any condition fails, access is blocked — or stepped-up authentication is required — automatically, without a human in the loop.

The 6-Policy Starter Pack for SMBs

These policies apply to both Entra ID and Google Workspace (with equivalent configuration paths). Deploy them in report-only mode first for two weeks, review the impact, then enforce.

Policy 1: Block legacy authentication. Protocols like IMAP, POP3, SMTP Auth, and ActiveSync do not support modern MFA. Attackers use these to password-spray accounts without ever triggering an MFA prompt. Block them globally. In Entra ID this is a single toggle under Conditional Access. In Google Workspace it is under Security > Less secure apps.

Policy 2: Require phishing-resistant MFA for all administrators. Every Global Admin, Privileged Role Admin, and Billing Admin must authenticate with a FIDO2 security key or passkey. No exceptions. If an admin account is compromised, the attacker owns the tenant. The ACSC's Essential Eight rates this as a top-three priority control.

Policy 3: Require compliant device for all users. Users accessing corporate data must do so from a device enrolled in your endpoint management platform with encryption enabled and OS patch compliance verified. Unmanaged personal devices get blocked or restricted to web-only access without download capability.

Policy 4: Geofence to Australia. If your business only operates domestically, block sign-ins from outside Australia — or at minimum, block high-risk regions. A small accounting firm in Brisbane does not need sign-ins originating from Moscow, Lagos, or Pyongyang. Add a break-glass admin account excluded from this policy in case of legitimate travel.

Policy 5: Require MFA for all privileged actions. Even after initial sign-in, re-prompt for MFA (with number matching or FIDO2) whenever a user performs a sensitive action: creating a new global admin, modifying conditional access policies, adding an app consent grant, or changing billing details.

Policy 6: Session timeout and sign-in frequency. Set an eight-hour maximum session lifetime with idle timeout at one hour. If a session cookie is stolen, limiting its useful window reduces the blast radius. For admin accounts, reduce maximum session to four hours.

FAQ

We already use the Microsoft Authenticator app. Are we protected against phishing?

Only if you have enabled number matching and disabled simple push approval. The free Authenticator app with push notifications alone is vulnerable to MFA fatigue and push bombing. Number matching takes minutes to enable in the Entra ID portal under Security > Authentication methods > Microsoft Authenticator.

Yubikeys cost $80 each. Do we really need them for a 12-person business?

Your email and file storage contain every client contract, bank detail, and piece of intellectual property the business owns. A single account takeover resulting in invoice fraud or ransomware deployment costs the average Australian SMB $49,000 in recovery, according to the ACSC's 2024 Cyber Threat Report. Twelve Yubikeys cost less than $1,000. The cost-benefit calculation is not close.

We use Google Workspace, not Microsoft. Do these policies still apply?

Yes. Google Workspace has equivalent controls under Security > Access and data control > Context-Aware Access. The same six policies translate directly: block legacy auth, restrict to enrolled devices, geofence by IP or region, and require security keys for admin accounts. Google's Advanced Protection Program is worth enabling for every admin as well.

Do conditional access policies slow down our staff?

Report-only mode will show you with precision. In most SMB deployments, well-configured policies trigger additional MFA prompts once per session or less. The friction is minimal compared to the friction of recovering from a ransomware incident on a Monday morning.

Conclusion

If your business implemented MFA in 2021 and has not touched it since, your identity security is three threat generations behind. Attackers have automated the bypass of the methods you deployed. The fix is not more MFA — it is better MFA, wrapped in conditional access policies that make decisions based on context, risk, and device trust.

Actionable next three steps for this week:

  1. Enable number matching for Microsoft Authenticator (or equivalent in your IdP).
  2. Order FIDO2 security keys for every admin and finance team member.
  3. Deploy the six conditional access policies above in report-only mode and review the logs on Friday.

Every major cyber insurer in Australia now asks about phishing-resistant MFA and conditional access during underwriting. If you cannot answer yes, your premium is higher — or your coverage is denied.

For a free, no-obligation cybersecurity assessment of your business's identity and access controls, visit consult.lil.business. We will review your MFA posture, conditional access configuration, and Essential Eight alignment in under an hour.

References

  1. ACSC Essential Eight Maturity Model
  2. NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management
  3. CISA: Phishing-Resistant Multi-Factor Authentication
  4. Microsoft: Common Conditional Access Policies for Entra ID
  5. Google Workspace: Context-Aware Access Overview

TL;DR

  • A popular tool that programmers use has a serious security problem
  • The problem is called CVE-2026-28292 and it's very dangerous (score 9.8 out of 10)
  • It lets attackers run commands on computers that use certain versions of the tool
  • Anyone who uses this tool needs to update it right away

What Is simple-git and Why Do Programmers Use It?

Imagine you have a robot that helps you organize your school projects. The robot keeps track of every change you make, lets you go back to older versions, and helps you work with friends on the same project. That's what git does for computer programmers—it's like a super-powered "undo" button and collaboration tool [1].

Simple-git is a popular tool that lets programs talk to git automatically. Think of it like a translator: your program says "save this work" in English, and simple-git translates it into git-language so git understands what to do [2].

Programmers use simple-git all the time in web applications, tools that help other programmers, and systems that automatically update websites. It's everywhere in modern software.

What's the Problem?

Someone found a way to trick simple-git into running bad commands instead of just translating for git. It's like if you told your translator robot "say hello" but instead it started opening doors and turning off lights [3].

The scary part is that this trick doesn't need a password or special access. If an application uses simple-git in the wrong way, an attacker could send a specially crafted message that makes the application do whatever the attacker wants [4].

The problem affects versions 3.15.0 through 3.32.2 of simple-git. Version 3.23.0 fixes the problem, so everyone needs to update to that version or a newer one [5].

How Could This Hurt a Business?

Imagine a company has a website that lets programmers share their code. The website uses simple-git to manage all the shared projects. If an attacker knows about this vulnerability, they could:

  • Send a specially crafted project name to the website
  • The website passes that name to simple-git
  • Simple-git gets tricked into running bad commands
  • The attacker now has control over the website's computer [6]

This is called "remote code execution"—the attacker can run commands on a computer without even being in the same building. It's like giving someone the keys to your house through the mail slot [7].

Why This Happened Twice Before

The really concerning part is that this same kind of problem was found and fixed in simple-git in 2022 (CVE-2022-25860 and CVE-2022-25912) [8]. But the fix wasn't complete—attackers found a different way to do the same trick.

It's like patching a hole in a tire, but the patch wasn't big enough. The air is still leaking out, just through a different spot.

What Businesses Need to Do Right Now

1. Check If You Use simple-git

Any business that has programmers or uses web applications should check if they depend on simple-git. Programmers can run a command to see if it's installed in their projects [9].

2. Update to Version 3.23.0 or Newer

If version 3.15.0 through 3.32.2 is installed, update it immediately. This is critical—not something to put off until next week [10].

3. Check Your Dependencies

Your business might not directly use simple-git, but the tools you use might depend on it. It's like your backpack has a pocket, and that pocket has a smaller pocket—you need to check all the layers [11].

4. Set Up Automatic Checks

There are tools that can automatically watch for problems like this and alert you when they're found. It's like having a security guard that checks all your doors and windows every night [12].

The Big Lesson: We All Depend on Each Other's Code

Modern software is built like a tower of blocks. Each block is a piece of code written by someone else. When one block has a crack, the whole tower can wobble [13].

That's why security isn't just about writing good code yourself—it's about making sure all the blocks you use are solid too. When a popular tool like simple-git has a problem, it affects everyone who uses it, even if they wrote perfect code themselves.

FAQ

No, you need to update to the fixed version (3.23.0 or newer). The problem is in how the tool was written, so the people who make simple-git had to fix it and release a new version [14].

If your business has programmers who work with Node.js (a popular programming system), ask them to check if any projects use simple-git. If they're not sure, that's a problem—not knowing what you're using is risky [15].

Not necessarily. The attack comes through normal web traffic—it looks like a regular request until simple-git processes it. Firewalls are like locks on your doors, but this attack uses the doorbell [16].

Programming is complicated, and it's hard to think of every possible way someone might try to trick your code. That's why security updates happen constantly—it's not that the programmers were bad, it's that attackers are always finding new tricks [17].

References

[1] TheHackerWire, "Critical RCE in simple-git (CVE-2026-28292)," TheHackerWire, March 10, 2026. [Online]. Available: https://www.thehackerwire.com/critical-rce-in-simple-git-cve-2026-28292/

[2] npm, "simple-git package," npm, 2026. [Online]. Available: https://www.npmjs.com/package/simple-git

[3] TheHackerWire, "Critical RCE in simple-git," 2026.

[4] CWE, "CWE-78: OS Command Injection," MITRE, 2025. [Online]. Available: https://cwe.mitre.org/data/definitions/78.html

[5] TheHackerWire, "Critical RCE in simple-git," 2026.

[6] OWASP, "Command Injection," OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-project-command-injection/

[7] CWE, "CWE-78: OS Command Injection," 2025.

[8] TheHackerWire, "Critical RCE in simple-git," 2026.

[9] npm Documentation, "Troubleshooting dependency trees," npm, 2025. [Online]. Available: https://docs.npmjs.com/cli/v9/commands/npm-ls

[10] TheHackerWire, "Critical RCE in simple-git," 2026.

[11] GitHub, "About Dependabot alerts," GitHub, 2025. [Online]. Available: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[12] Ibid.

[13] CISA, "Software Supply Chain Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/software-supply-chain-security

[14] TheHackerWire, "Critical RCE in simple-git," 2026.

[15] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/

[16] OWASP, "Command Injection," 2025.

[17] Flashpoint, "Navigating 2026's Converged Threats," 2026.

Worried about your software dependencies? Book a free cybersecurity consultation at consult.lil.business—we'll help you understand and secure your code.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation