The cyber threat breaking MFA and bypassing passwords in financial services

MFA-reset and token-theft attacks replace traditional password theft in financial services breaches

The financial services sector is facing a new generation of attacks. Criminals no longer bother to steal passwords; they go straight to resetting MFA and taking over the authentication process itself. Groups like Mutant Spider, identified in CrowdStrike's 2026 Financial Services Threat Landscape Report as the most active adversary in the sector, have refined these methods. Their operation doesn't rely on complex exploits. They use clear communication, impersonation, and timing to convince IT staff to reset an employee's MFA credentials. Once that happens, the attacker can register their own device and move inside the network without resistance.

The real shift here is psychological. The system is functioning as designed, but it's being manipulated by trust. Attackers are exploiting the human factor, help desk staff working under pressure, following procedures that were meant for legitimate requests. This is why MFA alone, even when well-implemented, can't guarantee security; its strength depends on the integrity and validation of the reset process.

For leaders, this means strengthening human and procedural layers. Out-of-band verification, a method to confirm identity through a separate, independent channel, must become standard for MFA resets. It's about making sure every reset is verified beyond a single point of contact. This is where technology and disciplined process design meet to close a dangerous gap that attackers are currently exploiting.

CrowdStrike's data covering April 2025 through March 2026 makes the case clear: the primary entry point into financial firms over the past year wasn't a stolen password, it was a manipulated call to IT support. These attacks show that the weakest link is no longer the user's password but the support process itself.

Credential theft declines while vulnerability exploitation and MFA bypass techniques surge

The 2026 Verizon Data Breach Investigations Report shows a clear trend. Credential theft, the long-time leader in breach access, dropped sharply to 13% of initial access vectors. Meanwhile, vulnerability exploitation jumped to 31%. Companies have perfected their password defenses just as attackers have learned to ignore them.

The message is simple: today's attackers are faster, smarter, and more adaptive. They're no longer limited by passwords or front-end login pages. Instead, they're exploiting weaknesses in system design and unpatched software, or bypassing MFA controls by capturing valid authentication tokens. The advantage lies with those who move faster, attackers exploiting vulnerabilities within days of disclosure, while defenders still manage patch cycles measured in weeks.

Executives must understand that this is a speed problem. It's a gap between how quickly attackers can move and how slowly most organizations can respond. Closing that gap requires automation, faster patch management, and better visibility into authentication flows. Traditional login-centric defenses aren't obsolete.

The difference comes down to resource allocation. If a defense budget still revolves around password protection and static MFA tools, it's chasing a threat that's already been overtaken. The reality is clear from the data: within the financial sector, the most dangerous attacks aren't stealing credentials, they're exploiting vulnerabilities or bypassing MFA entirely. Organizations that adapt their defensive focus now will define the next standard of resilience.

Financial services remain under elevated and rapidly evolving attack pressure

Financial institutions are facing sustained and escalating pressure from both cybercriminals and state-backed actors. The 2026 CrowdStrike report revealed that by the first quarter of the year, financial services accounted for 12% of all global adversary activity. That's a significant increase, with hands-on-keyboard intrusions up 43% globally, and 48% in North America compared to two years prior. These numbers reflect the intensity and persistence of financially motivated intrusions targeting this industry.

The e-crime ecosystem is growing more aggressive and more organized. Groups such as REVENANT SPIDER, which operates the Qilin ransomware-as-a-service model, expanded their list of financial sector victims sharply, from 14 to 97 cases in a single reporting year. Scattered Spider returned to targeting insurance and financial institutions in mid-2025, relying again on social engineering tactics that involve impersonating IT support and requesting account resets. These methods are simple and low-cost, yet they deliver sustained success because they exploit operational processes.

At the same time, state-sponsored groups have become more aggressive. Adversaries linked to North Korea stole $2.02 billion in digital assets in 2025 alone, a 51% increase year over year. Pressure Chollima was responsible for the largest single cryptocurrency theft ever recorded, compromising Safe and stealing $1.46 billion through a trojanized Python project used by its developers. Chinese-linked operations, including Hollow Panda and Vault Panda, compromised VPN and firewall devices to infiltrate financial institutions across Asia and other continents.

The takeaway for executives is that the threat is multi-dimensional. Financial institutions must assume they are being targeted both for profit and for geopolitical influence. The balance between agility and protection is critical, security programs must evolve at the same pace as the attackers.

Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, summarized the change clearly when he said, "Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password?'" His point highlights a structural issue: social engineering has replaced complex exploits as the most efficient entry path. Organizations that fail to integrate identity security, behavioral detection, and process verification into their daily operations will remain vulnerable.

Phishing-as-a-Service platforms like kali365 scale MFA bypass capabilities

The appearance of platforms like Kali365 has industrialized MFA-bypass attacks. The FBI's May 21, 2026 public service announcement confirmed its operation, describing it as a subscription-based phishing-as-a-service system sold on Telegram. Pricing starts at $250 per month and can reach $2,000 per year. It includes AI-generated phishing content, multilingual templates, and a live campaign tracking dashboard. What makes Kali365 particularly dangerous is its exploitation of Microsoft's OAuth 2.0 device authorization flow, a legitimate feature created for non-interactive devices such as conference systems and smart screens.

Attackers send well-crafted phishing emails that mimic trusted services, Adobe Acrobat Sign, DocuSign, SharePoint, and prompt users to authenticate on an official Microsoft page using a device code. The user completes the authentication correctly, including MFA, but the generated token goes to the attacker. This token provides long-term authenticated access to accounts and data without triggering an additional MFA check. The system isn't being hacked; it's being misused exactly as intended due to permissive configurations and insufficient oversight.

Arctic Wolf's April 2026 technical analysis revealed how well-structured this operation is, with a three-tier model separating developers, resellers, and paying affiliates. This organization ensures scalability and resilience across regions and languages, giving attackers instant access to enterprise-grade infrastructure for bypassing MFA.

For executives, this development represents a strategic inflection point. MFA, once considered a reliable defense, now needs stronger governance. Default configurations in identity management tools, such as Microsoft Entra ID, often allow the device code flow without proper restrictions. Most organizations have never verified whether any genuine workflow requires that capability. The result is an open invitation for misuse. Decision-makers must ensure that security teams audit, restrict, or disable non-interactive authentication paths unless explicitly necessary.

These phishing-as-a-service offerings reduce the skill needed to execute advanced attacks. Even inexperienced actors can now harvest tokens with minimal effort, implying that the next wave of cybersecurity breaches will not be driven by technical sophistication but by operational convenience. The companies that take control of their authentication flows and tighten conditional access policies will stand apart. This is no longer a theoretical problem, it is an immediate operational risk, scaled through automation and subscription-based delivery.

Persistent token abuse evades traditional monitoring systems

Modern attackers are learning that persistence matters more than penetration. Once they acquire authentication tokens, either through social engineering or compromised authorization flows, they gain durable, often undetectable access to critical systems. Tokens act as digital keys, granting access without requiring repeated verification. Traditional security monitoring tools focus on password theft and credential misuse. They rarely track abnormal token activity, which leaves a significant gap in visibility.

CrowdStrike and FBI findings highlight this challenge clearly. Valid tokens can remain active for weeks or even months depending on the organization's configuration. When these tokens are used, they often appear legitimate in logs, making them invisible to standard detection systems. Because most tokens are bearer artifacts, objects proving access without verifying the holder, anyone possessing them has effective control over the session.

Executives need to recognize that this form of infiltration transforms the concept of network access. It's not a breach followed by recovery; it's silent occupancy. Attackers maintain presence in Outlook, Teams, or OneDrive, performing data exfiltration, reconnaissance, or lateral movement without raising alarms. The consequence is not immediate disruption but long-term loss of confidentiality and trust.

To address this, organizations must adopt continuous identity monitoring and implement strict token lifetime policies. Every issued token should have limited validity, and usage patterns should be analyzed for anomalies, such as unusual refresh behavior or logins from unexpected regions or devices. Security leaders should ensure their teams are equipped to monitor OAuth token flows as actively as they monitor user logins. The focus must shift from entry prevention to session validation, where every ongoing connection is continuously verified.

The principle is straightforward, attackers can't be stopped from trying, but they can be discovered by reducing their ability to remain undetected. Persistent access must become traceable through analytics, reinforced logging, and automated revocation mechanisms that deactivate compromised tokens in real time. That's how security adapts to an environment where identity is the frontline.

Outdated security spending priorities demand a shift toward identity-based and runtime defenses

The majority of cybersecurity budgets are still organized around defending against the threats of five years ago. Investments remain concentrated in MFA tools and password management, even as the dominant attack vectors have moved on. The 2026 Verizon Data Breach Investigations Report puts credential theft at only 13% of breaches, well behind vulnerability exploitation and token compromise. This means substantial portions of security funding are being directed toward what has become a secondary threat channel.

The executive challenge here is strategic alignment. It's no longer about buying more layers of authentication, it's about directing resources toward the parts of the environment that attackers are actively exploiting. Identity verification tied to real-world user actions, continuous session inspection, and behavioral analytics are now essential layers of defense. MFA still matters, but it needs to evolve from a static checkpoint to a dynamic validation process that tracks interactions throughout the entire session lifecycle.

Mike Riemer, Senior Vice President and Field CISO at Ivanti, explained the urgency clearly: "Threat actors are reverse engineering patches, and the speed at which they're doing it has been enhanced greatly by AI." Riemer pointed out that attackers can now reverse-engineer patches within 72 hours, a rate that surpasses most enterprise patch management schedules. This demonstrates how the industry's response time has failed to keep pace with adversaries' capabilities.

CrowdStrike's CTO, Elia Zaitsev, added another layer to the problem, emphasizing that "traditional approaches are just not designed for this sort of behavior." Defenses built around fixed points of authentication or periodic patching cannot keep up with threats that evolve dynamically and operate within trusted identity frameworks.

Executives should take these warnings as direction, not merely observation. The next phase of security investment should move toward runtime protection, validating identity continuously, monitoring session activity in real time, and integrating AI-driven insights into threat detection. This requires rebalancing budgets away from legacy MFA infrastructure toward tools that operate within live authentication environments.

The demand is not for more tools but smarter ones, systems that understand user behavior, token lifecycles, and data movement rather than just password correctness. Financial institutions that make this shift will not only close today's attack paths but also build the foundation for adaptive defenses capable of meeting tomorrow's speed and complexity.

Structural redesign, rethinking MFA scope and aligning defenses with evolving attacker methods

The next step for financial institutions isn't to add more MFA layers, it's to redefine what MFA actually defends. The major reports from CrowdStrike, the FBI, and Verizon all point to a single conclusion: MFA in its current form protects authentication but not identity trust. Attackers no longer need to break through login screens when they can reset MFA, steal tokens, or exploit features that behave exactly as intended. The problem isn't that MFA is broken; it's that it stops working where attackers now operate, beyond the first validation step.

Executives must rethink identity security as a living process that extends far past login verification. Traditional MFA stops at confirmation; modern identity defense must start there. Out-of-band verification for all MFA resets should become standard policy, ensuring that no single communication channel can authorize access changes. Organizations should also review their use of OAuth device code flows, particularly within Microsoft Entra ID, and restrict or disable them if they are not essential to business operations. Each misconfiguration removed shortens the window of opportunity for attackers.

Auditing post-login activity across SaaS and API layers is another critical step. Many attacks look legitimate at the login phase but become visible only in how tokens and sessions behave afterward. For example, unusual Graph API requests or bulk data movements following an MFA reset signal potential compromise. Detection systems must evolve to recognize such behavior automatically rather than relying on reactive investigations.

The MFA Bypass Exposure Audit Grid, which combines findings from CrowdStrike, the FBI, and Verizon, provides a practical framework for this shift. It identifies five confirmed attack paths and details what MFA currently misses on each one. Security leaders should use it as a model for assessment and prioritization. The audit exposes the precise weaknesses, social engineering resets, OAuth device flows, prolonged token lifetimes, post-access SaaS exploitation, and misaligned budgets, that organizations can begin addressing immediately.

CrowdStrike's CTO, Elia Zaitsev, summarized the problem in clear terms: "People are forgetting about runtime security." His statement reflects a broader reality, most defense architectures stop protecting once users are authenticated. For leadership teams, this calls for a structural redesign of access governance and session oversight. Runtime security should no longer be treated as an advanced feature but as a core operational requirement.

The goal is operational resilience, not reactive compliance. Threat actors have already shifted their methods; defenses must follow. That means redesigning identity frameworks to operate continuously, strengthening verification beyond support desks, and integrating real-time risk detection into authentication systems. Financial institutions that adapt to this model will not only defend against today's MFA bypass attacks but will also lay the groundwork for security systems capable of evolutionary response, systems that learn and adjust as quickly as the threats themselves.

Concluding thoughts

What's happening across financial services isn't just another wave of cyberattacks, it's a structural shift in how identity is targeted and exploited. The old assumptions no longer hold. MFA is performing exactly as designed but failing where trust and verification intersect. Attackers are not breaking the technology; they're breaking the logic of the process.

For executives, the path forward is about awareness and alignment. Security strategies need to evolve from static defenses toward continuous validation. That means treating every authentication, every token, and every session as a live event, not a finished step. The goal is not to add more layers but to refine the ones that already exist until they can adapt in real time to the speed and sophistication of modern threats.

Budgets also need to reflect the new reality. Investment should follow risk, not tradition. Allocating funds toward runtime identity protection, out-of-band MFA validation, and active token monitoring delivers measurable resilience. These aren't incremental upgrades, they're structural corrections that bring defenses in sync with the present-day threat model.

What defines leadership in this environment is speed of adaptation. The attackers already understand identity as the ultimate perimeter. The organizations that learn to protect it the same way, flexible, fast, and data-informed, will secure both their systems and their future.