TL;DR

If you are still relying on SMS or phone-call MFA to protect your business accounts, you are operating with a false sense of security. Modern attack toolkits like Evilginx and Tycoon bypass these methods with commodity phishing kits that cost less than $300 a month. This post walks through why legacy MFA fails, which phishing-resistant alternatives to implement, and the six conditional access policies every Australian SMB should deploy in Microsoft Entra ID or Google Workspace this week.

Why Your MFA Is Already Broken

Most Australian small businesses implemented multi-factor authentication between 2020 and 2022 and considered the job done. The problem: the threat model has shifted dramatically since then, and the SMS codes or phone calls you deployed are no longer a meaningful barrier to a motivated attacker.

Three attack vectors have rendered legacy MFA obsolete:

SIM swapping continues to plague Australian mobile carriers. An attacker socially engineers a telco support desk, ports your number to their SIM, and receives every MFA code sent to your phone. The Australian Signals Directorate (ASD) has tracked a steady increase in SIM-swap-enabled account takeovers targeting business owners specifically, because compromising the owner's account unlocks invoice fraud, payroll redirection, and bank transfer authorisation.

Adversary-in-the-middle (AitM) phishing kits have commoditised what was once a nation-state capability. Tools such as Evilginx, Tycoon 2FA, and Modlishka sit between your user and the real Microsoft or Google login page. When your employee enters their password and SMS code, the proxy captures both in real time — along with the session cookie — and replays them to the legitimate service. The attacker is now authenticated with a valid session token. The user sees no indication anything went wrong.

MFA fatigue and push bombing exploit the human in the loop. Attackers trigger repeated push notifications to a target's authenticator app until the user, frustrated or confused, taps "Approve." In 2024 a major Australian managed service provider lost control of their entire client tenant after an exhausted director approved a push notification at 11:47 PM.

The ACSC's Essential Eight maturity model explicitly calls for phishing-resistant MFA at Maturity Level 3. If your business handles sensitive client data, financial transactions, or personally identifiable information, legacy MFA is a compliance gap, not just a security gap.

Phishing-Resistant MFA: What Actually Works

The FIDO Alliance and NIST SP 800-63B define phishing-resistant authentication as methods that are cryptographically bound to the legitimate relying party — meaning a proxy cannot intercept and replay the credential. Three options are practical for SMBs today:

FIDO2 security keys (Yubikey, Feitian, Google Titan). A physical USB-A, USB-C, or NFC key that signs a cryptographic challenge tied to the specific domain being accessed. Even if an AitM proxy captures the response, it is worthless for replay against the real service because the challenge is domain-bound. Cost is roughly $50–$90 per key. Every admin account and every finance team member should have one. Two keys per person: one for daily use, one stored securely as a backup.

Passkeys (platform-native FIDO2). Stored in your device's secure enclave — Apple Touch ID, Windows Hello, or Android biometric — and synchronised across your ecosystem via iCloud Keychain or Google Password Manager. Passkeys eliminate the physical token cost and are vastly more resistant to remote phishing than any code-based method. Microsoft, Google, and most major SaaS platforms now support passkeys natively.

Microsoft Authenticator with number matching. A middle ground. Instead of a simple "Approve/Deny" push, the user must type a two-digit number displayed on the login screen into their authenticator app. This breaks AitM attacks because the user sees the login context (location, application) and must actively match the number. It also eliminates push-bombing fatigue attacks because there is no button to blindly tap. Number matching is free with Entra ID and takes five minutes to enable in the Authentication Methods policy.

What to retire: SMS codes, voice calls, and simple push notifications without number matching or additional context. If your current MFA method can be phished by a $200-a-month SaaS tool, it is not MFA — it is theatre.

Conditional Access: The Policy Layer MFA Needed

MFA verifies who is logging in. Conditional access verifies should they be, from where, and with what. It is the policy engine that turns authentication from a single checkpoint into a continuous enforcement layer.

For Australian SMBs on Microsoft 365 Business Premium (which includes Entra ID P1) or Google Workspace Business Plus, conditional access is included in the licence you already pay for. Most businesses have never configured it.

Here is what conditional access evaluates in real time before granting access:

  • User risk and sign-in risk (Entra ID Protection): Has this user's behaviour deviated from their baseline? Is the sign-in from an anonymous IP, a tor exit node, or a location inconsistent with their typical pattern?
  • Device compliance: Is this device enrolled in Intune or Google endpoint management? Does it have disk encryption enabled? Is the OS patched?
  • Geolocation: Is this sign-in originating from a country your business does not operate in?
  • Application sensitivity: Is the user accessing email, or are they changing a global admin setting?
  • Authentication strength: Did they use a phishing-resistant method, or just a password and SMS?

If any condition fails, access is blocked — or stepped-up authentication is required — automatically, without a human in the loop.

The 6-Policy Starter Pack for SMBs

These policies apply to both Entra ID and Google Workspace (with equivalent configuration paths). Deploy them in report-only mode first for two weeks, review the impact, then enforce.

Policy 1: Block legacy authentication. Protocols like IMAP, POP3, SMTP Auth, and ActiveSync do not support modern MFA. Attackers use these to password-spray accounts without ever triggering an MFA prompt. Block them globally. In Entra ID this is a single toggle under Conditional Access. In Google Workspace it is under Security > Less secure apps.

Policy 2: Require phishing-resistant MFA for all administrators. Every Global Admin, Privileged Role Admin, and Billing Admin must authenticate with a FIDO2 security key or passkey. No exceptions. If an admin account is compromised, the attacker owns the tenant. The ACSC's Essential Eight rates this as a top-three priority control.

Policy 3: Require compliant device for all users. Users accessing corporate data must do so from a device enrolled in your endpoint management platform with encryption enabled and OS patch compliance verified. Unmanaged personal devices get blocked or restricted to web-only access without download capability.

Policy 4: Geofence to Australia. If your business only operates domestically, block sign-ins from outside Australia — or at minimum, block high-risk regions. A small accounting firm in Brisbane does not need sign-ins originating from Moscow, Lagos, or Pyongyang. Add a break-glass admin account excluded from this policy in case of legitimate travel.

Policy 5: Require MFA for all privileged actions. Even after initial sign-in, re-prompt for MFA (with number matching or FIDO2) whenever a user performs a sensitive action: creating a new global admin, modifying conditional access policies, adding an app consent grant, or changing billing details.

Policy 6: Session timeout and sign-in frequency. Set an eight-hour maximum session lifetime with idle timeout at one hour. If a session cookie is stolen, limiting its useful window reduces the blast radius. For admin accounts, reduce maximum session to four hours.

FAQ

We already use the Microsoft Authenticator app. Are we protected against phishing?

Only if you have enabled number matching and disabled simple push approval. The free Authenticator app with push notifications alone is vulnerable to MFA fatigue and push bombing. Number matching takes minutes to enable in the Entra ID portal under Security > Authentication methods > Microsoft Authenticator.

Yubikeys cost $80 each. Do we really need them for a 12-person business?

Your email and file storage contain every client contract, bank detail, and piece of intellectual property the business owns. A single account takeover resulting in invoice fraud or ransomware deployment costs the average Australian SMB $49,000 in recovery, according to the ACSC's 2024 Cyber Threat Report. Twelve Yubikeys cost less than $1,000. The cost-benefit calculation is not close.

We use Google Workspace, not Microsoft. Do these policies still apply?

Yes. Google Workspace has equivalent controls under Security > Access and data control > Context-Aware Access. The same six policies translate directly: block legacy auth, restrict to enrolled devices, geofence by IP or region, and require security keys for admin accounts. Google's Advanced Protection Program is worth enabling for every admin as well.

Do conditional access policies slow down our staff?

Report-only mode will show you with precision. In most SMB deployments, well-configured policies trigger additional MFA prompts once per session or less. The friction is minimal compared to the friction of recovering from a ransomware incident on a Monday morning.

Conclusion

If your business implemented MFA in 2021 and has not touched it since, your identity security is three threat generations behind. Attackers have automated the bypass of the methods you deployed. The fix is not more MFA — it is better MFA, wrapped in conditional access policies that make decisions based on context, risk, and device trust.

Actionable next three steps for this week:

  1. Enable number matching for Microsoft Authenticator (or equivalent in your IdP).
  2. Order FIDO2 security keys for every admin and finance team member.
  3. Deploy the six conditional access policies above in report-only mode and review the logs on Friday.

Every major cyber insurer in Australia now asks about phishing-resistant MFA and conditional access during underwriting. If you cannot answer yes, your premium is higher — or your coverage is denied.

For a free, no-obligation cybersecurity assessment of your business's identity and access controls, visit consult.lil.business. We will review your MFA posture, conditional access configuration, and Essential Eight alignment in under an hour.

References

  1. ACSC Essential Eight Maturity Model
  2. NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management
  3. CISA: Phishing-Resistant Multi-Factor Authentication
  4. Microsoft: Common Conditional Access Policies for Entra ID
  5. Google Workspace: Context-Aware Access Overview

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation