Your MFA Is Being Bypassed Right Now: The 146% Surge in Attacks Nobody's Talking About

You've got MFA turned on. Text codes, authenticator app, the lot. You've told your board you're protected. You've ticked the compliance box. You sleep soundly at night knowing that 99% of automated attacks bounce right off your defences.

Now picture this: your finance director gets an email from a colleague. Looks completely legitimate. She clicks the link, signs in with her password, approves the MFA request on her phone like she always does, and boom, she's in. Except she's just handed an attacker everything they need to waltz into your Microsoft 365 environment. Full access. No more MFA prompts needed.

Welcome to 2026, where adversary-in-the-middle attacks have surged 146% in the past year according to Microsoft's Digital Defense Report. That's not a typo. Nearly 40,000 incidents detected daily. And your traditional MFA? It's doing precisely nothing to stop them.

The Problem Everyone's Ignoring

This week on The Small Business Cyber Security Guy podcast, we sat down to discuss something that honestly makes us a bit nervous. We've spent years telling you to turn on MFA, and rightly so. It blocks over 99% of automated account attacks. But attackers aren't stupid. When you lock the front door, they start looking for windows. And they found a bloody big one.

Listen to the full episode: [Link to podcast]

Adversary-in-the-middle attacks bypass MFA by stealing your session token after you've already logged in. The lock works perfectly. They just follow you through the door after you've unlocked it. And before you panic, we're not saying don't use MFA. You absolutely should. But we need to talk about upgrading to phishing-resistant MFA.

How Session Tokens Become Single-Factor Authentication

Here's what nobody tells you about how web authentication actually works. When you sign in to Microsoft 365 with your password and MFA, Microsoft checks your credentials, sees you've completed MFA, and issues something called a session token. Think of it like a visitor's badge that proves you've already been verified.

That token typically lasts for hours, sometimes days, depending on your settings. And here's the problem: that token is single-factor authentication. It's just one thing. Steal it and you're in. No password needed. No MFA needed. Just the token.

This isn't a vulnerability in MFA itself. It's just how web authentication works. You can't ask people to re-authenticate every single action. They'd go mental.

The Attack Kill Chain

Attackers set up a fake login page. Not a clone, mind you. A transparent proxy that sits between you and the real Microsoft login page. When you type your credentials, it passes them through to the real site. When Microsoft asks for MFA, it passes that through too.

You see the real Microsoft login page. You approve the real MFA request. Everything looks legitimate. Because technically, it is. The attacker isn't trying to fool Microsoft. They're watching you prove who you are, then stealing the session token Microsoft gives you as proof.

From Microsoft's perspective, you logged in successfully. From your perspective, you logged in successfully. The attacker just copied your visitor's badge.

According to Sekoia.io's research from early 2025, eleven major AITM phishing kits are currently circulating. These aren't nation-state tools requiring advanced technical skills. These are commercial Phishing-as-a-Service platforms that any criminal can rent for a few hundred quid per month. Tycoon 2FA. EvilProxy. Mamba. These kits democratise advanced attacks, making them accessible to criminals with minimal technical expertise.

The UK Business Reality

84% of compromised accounts observed by Obsidian Security had MFA enabled. Let that sink in. Four out of five accounts that got breached were supposedly protected by multi-factor authentication. The attack bypassed it anyway.

For UK SMBs, this represents a fundamental shift in threat landscape. You've spent time and money implementing MFA. You've trained your staff. You've achieved Cyber Essentials certification. And now you're learning that determined attackers can bypass it all with commodity phishing tools.

The financial services sector, professional services firms, and any business handling sensitive client data face particular risk. Once an attacker has your session token, they don't just get access to your email. They get everything that account can touch. Client files. Financial systems. HR data. Business intelligence.

Why This Matters for Directors

Under the Companies Act 2006, directors have a statutory duty to exercise reasonable care, skill, and diligence. Cybersecurity isn't an IT problem anymore. It's a governance problem. When your organisation suffers a breach because you're still relying on authentication methods that criminals bypass routinely, regulators and courts start asking uncomfortable questions about whether you exercised that reasonable care.

The ICO has made clear that appropriate technical measures aren't optional. They're required under UK GDPR. And "appropriate" is a moving target. What was appropriate in 2020 isn't appropriate in 2026. Not when attack techniques have evolved this dramatically.

Moving Beyond Traditional MFA

The solution isn't abandoning MFA. That would be catastrophically stupid. The solution is upgrading to phishing-resistant MFA that can't be bypassed even in an AITM attack.

Three options stand out:

Passkeys: Built on FIDO2 standards, passkeys use public-key cryptography to prove you control a device. The private key never leaves your device, so there's nothing for attackers to steal in transit. Works with Windows Hello, Face ID, Touch ID, or hardware security keys.

Hardware tokens: Physical security keys that plug into USB or use NFC. These require physical possession of the device and can't be phished. YubiKey and similar devices cost £30-50 per user. One-time purchase.

Windows Hello for Business: If you're already on Windows, you've already paid for phishing-resistant authentication. Uses biometrics or PIN tied to the device's TPM chip. Cannot be proxied through an AITM attack.

Some of this is free. Some costs money. All of it is cheaper than dealing with a breach.

What Phishing-Resistant Actually Means

Traditional MFA can be intercepted because it relies on secrets that get transmitted during authentication. Your authenticator code is a secret. Your SMS code is a secret. These secrets pass through networks, which means attackers can position themselves to intercept them.

Phishing-resistant MFA doesn't transmit secrets. Instead, it uses cryptographic challenge-response protocols where the authentication happens locally on your device, and only a proof-of-possession gets transmitted. There's nothing to intercept. Nothing to replay. The session token Microsoft issues is still vulnerable if stolen, but the attacker can't get it in the first place because they can't complete the authentication process without your physical device.

The Compliance Angle

Cyber Essentials Plus now explicitly recommends phishing-resistant authentication for privileged accounts. That's not accidental. NCSC guidance increasingly emphasises that traditional MFA isn't sufficient for high-value accounts anymore.

If you're holding client data under contract, your cyber insurance policy likely requires "effective" multi-factor authentication. When the next renewal comes around, expect insurers to start asking specific questions about whether your MFA can be bypassed via AITM attacks. "We've got MFA enabled" won't be sufficient anymore.

How to Turn This Into a Competitive Advantage

While your competitors are scrambling to respond after they get breached, you can position your firm as one that actually understands modern threats. When pitching for new clients, especially in regulated sectors, being able to demonstrate phishing-resistant authentication isn't just a technical detail. It's proof that your security posture has kept pace with the threat landscape.

Professional services firms can use this knowledge when reviewing client security. Legal firms handling sensitive M&A data. Accountants managing payroll credentials. MSPs protecting client environments. Understanding AITM attacks and implementing protections puts you ahead of 90% of the market.

What This Means for Your Business

Here's your Monday morning action list:

1. Audit your privileged accounts: Directors, finance staff, IT administrators. These need phishing-resistant MFA immediately. Don't wait. These accounts are the crown jewels attackers target first.

2. Test Windows Hello for Business: If you're on Windows 10 or 11 with Azure AD (Entra ID), you can deploy this today. No additional cost. Test with a small group first, iron out any issues, then roll out to privileged users.

3. Review your conditional access policies: Are you blocking legacy authentication? Are you requiring MFA for all admin actions? Are you monitoring for suspicious sign-in patterns? If not, these policies take 30 minutes to configure and immediately reduce your attack surface.

4. Budget for hardware tokens: Not everyone needs them, but having a supply of YubiKeys or similar tokens for key staff provides a last line of defence. Budget £30-50 per user for those who need them.

5. Update your incident response plan: If someone in your organisation gets targeted by an AITM attack tomorrow, what's your response procedure? Who gets notified? How do you revoke access? If you don't know, you're not ready.

The Reality Check

MFA remains essential. Every business should have it enabled. But traditional MFA isn't the end of your authentication journey anymore. It's the middle. The threats have evolved. Your defences need to evolve too.

Phishing-resistant MFA isn't bleeding-edge technology requiring massive investment. It's mature, proven technology that's either already included in what you're paying for or available for modest cost. The barriers to adoption are mostly organisational, not technical.

Start with your highest-risk users. Prove it works. Expand gradually. This is achievable for businesses of any size. The question isn't whether you can afford to upgrade. It's whether you can afford not to.

Listen to the Full Discussion

This blog post expands on our podcast episode discussing AITM attacks, session token theft, and practical implementation strategies for phishing-resistant MFA. Graham Falkner and Mauven MacLeod break down the technical details in accessible language, with specific recommendations for UK SMBs.

Next week on the podcast: We're launching something massive that builds on our risk registers episode from a few weeks ago. Episode one of a comprehensive incident response planning course designed specifically for small businesses without dedicated IT teams. Five 45-minute episodes spread across the next two months, giving you a complete framework based on NCSC best practice. See you Monday, 13 January.