Cybercriminals Bypass MFA via Authentication Reset and Token Theft

The financial sector became the fourth most popular target for cyberattacks in the first quarter of 2026, accounting for 12% of all recorded incidents. According to a CrowdStrike report, the number of attacks involving direct adversary intervention increased by 43% over two years, and by 48% in North America. Of particular concern is the rise in activity by ransomware groups: the number of financial organizations appearing in data breach lists increased by 27% over the year.

The Mutant Spider group, a leader in attacks on financial companies, employs social engineering via Microsoft Teams. Attackers call employees, impersonating IT specialists, and persuade them to reset MFA. Afterward, attackers register their own devices on the network and gain access to corporate data. The Kali365 platform, sold on Telegram for $250 per month, automates the theft of Microsoft 365 tokens via legitimate OAuth flows, allowing MFA to be bypassed without hacking.

Experts note that traditional security measures, such as MFA, are ineffective against new attack methods. The 2026 Verizon report indicates that credential theft accounts for only 13% of all initial access vectors, while vulnerability exploitation has risen to 31%. The average time to remediate critical vulnerabilities has increased to 43 days, and the proportion of vulnerabilities fixed from the CISA catalog has dropped to 26%.

To protect against such attacks, experts recommend implementing additional verification measures during MFA resets, restricting OAuth flows in Entra ID, and monitoring token activity. It is also important to reassess security budgets, shifting focus from password theft protection to session and token control.