You Have MFA Turned On. Here’s How Attackers Are Getting Around It Anyway

Multi-factor authentication — requiring a second verification step beyond your password — has been one of the most effective security controls of the last decade. Most businesses have rolled it out across their Microsoft 365 or Google Workspace accounts and moved on, confident that stolen passwords alone can no longer open the door. That confidence is now being tested. According to Microsoft, Cisco Talos, and CISA, token theft has become the dominant identity attack of 2026 — and it works even when MFA is fully enabled. 

The technique has become industrialized. Security researchers tracking one active toolkit called Kali365 found it being used to automate thousands of these attacks daily against Microsoft 365 accounts, with minimal technical skill required from the attacker. 

The Attack Explained — Without the Jargon 

When you log into Microsoft 365 or Google Workspace, enter your password, and complete your MFA prompt, your browser receives a small digital credential called a session token. Think of it as a temporary badge that proves you already passed the front-door check. Your browser presents that badge automatically on every page request — which is why you don’t have to keep logging in as you move between apps. 

Attackers have found reliable ways to steal that badge after you’ve already authenticated. With a valid session token in hand, they don’t need your password. They don’t need to beat your MFA. They simply replay the token from their own machine, and every cloud service they connect to sees what looks like a legitimate, already-verified session — yours. 

The most common delivery methods include phishing pages that silently sit between you and the real login page, capturing your session token the moment authentication completes (a technique called Adversary-in-the-Middle, or AiTM), and malware that lifts stored browser cookies directly from an infected device. 

According to researchers, AiTM phishing attacks increased 146% over the past year, with approximately 40,000 incidents detected daily. Token theft accounted for 31% of all Microsoft 365 breaches in 2025 — making it the leading attack vector, ahead of traditional password compromise. 

Why This Matters for Your Business 

Once inside your Microsoft 365 or Google Workspace environment, an attacker with a live session can read and exfiltrate email, access SharePoint or Google Drive files, send messages as you, modify or delete data, and in some cases escalate privileges across connected applications. Because they’re operating through a legitimate, authenticated session, many standard security alerts never fire. 

Smaller organizations are particularly exposed because they often lack the monitoring tools that would flag anomalous session behavior — like a session suddenly originating from an unfamiliar country, or the same account being active in two locations simultaneously. 

What You Can Do Now 

• Enable Conditional Access policies in Microsoft 365 or Google Workspace. These policies evaluate risk signals mid-session and can terminate suspicious activity — such as a session that suddenly appears from an unexpected location — automatically. (IT) 

• Shorten session token lifetimes. The longer a token stays valid, the larger the window for misuse. Work with your IT team to reduce token expiration to the shortest duration that’s workable for your users. (IT) 

• Audit connected third-party apps. Every application with access to your Microsoft 365 or Google environment represents another potential token exposure point. Review and remove integrations that aren’t actively used. (IT / Operations) 

• Train employees to recognize AiTM phishing pages. These pages look identical to real login screens but have subtle URL differences. Bookmarking the real login URL and using passkeys where available removes the risk almost entirely. (HR / Operations — communicate to all staff) 

The Bigger Picture 

Tactics like this are why security can’t be a “set it and forget it” effort. MFA is still essential — it stops most credential-based attacks. But as attackers adapt, the controls that protect you need to adapt too. A security advisor working alongside your business can help you stay a step ahead: identifying where your current controls have gaps, prioritizing the ones that close the most risk, and making sure you’re not finding out about a blind spot the hard way. 

Ready to take a closer look at how your identity and access controls stack up? The Plow Networks team is glad to walk through it with you.