VFF - The signal in the noise
News

MFA Resets Become the New Attack Vector in Financial Services

Read original
Share
MFA Resets Become the New Attack Vector in Financial Services

Financial services organizations are being compromised through voice phishing and MFA resets rather than password theft, according to CrowdStrike's 2026 threat report. Mutant Spider, the most active threat group targeting the sector, impersonates IT support over Microsoft Teams to convince employees to reset credentials and MFA, then registers attacker devices on corporate networks. This represents a structural shift in attack methodology that bypasses traditional password-based security controls.

  • Mutant Spider conducted the most successful attacks on financial services in the past 12 months using voice phishing over Microsoft Teams, not password theft
  • The group impersonates IT support, convinces employees to reset MFA, and registers attacker devices to gain persistent network access
  • Credential theft dropped to 13% of breach initial access vectors, while vulnerability exploitation rose to 31%, according to Verizon's 2026 report
  • Financial services faced 43% more hands-on-keyboard intrusions in 2025 compared to two years earlier, with ransomware operators naming 423 entities on leak sites

MFA, long considered a gold standard security control, is proving insufficient against sophisticated social engineering attacks that bypass password authentication entirely. Attackers are exploiting the legitimate MFA reset process itself as an attack vector, meaning organizations cannot rely on traditional credential-based defenses. This represents a fundamental shift in how financial institutions must approach access control and employee security training.

Financial services organizations must reassess their security architecture beyond MFA implementation. The attacks documented are low-cost, high-success operations that don't require zero-day exploits or advanced technical skills, making them economically attractive to both e-crime and state-sponsored actors. Organizations need to implement additional controls around credential reset processes, device registration, and token management to close these gaps.

  • MFA reset processes require additional authentication layers and approval workflows to prevent social engineering attacks
  • Device registration and token grant mechanisms need monitoring and restrictions independent of MFA status
  • Voice phishing over internal communication platforms like Microsoft Teams is now a primary attack vector requiring specific employee training and technical controls
  • OAuth token theft through legitimate authentication flows bypasses MFA entirely and grants persistent access without additional prompts

Monitor for increases in voice phishing attempts targeting IT support functions and credential reset requests. Track adoption of conditional access policies that restrict device registration and token grants based on risk signals. Watch for emerging phishing-as-a-service platforms like Kali365 that specifically target OAuth token capture through legitimate authentication flows.

Share

Subscribe to the newsletter

The latest stories and analysis, delivered to your inbox.

Free. No spam. Unsubscribe any time.

Related stories

Meta's Muse Image Uses Public Instagram Photos Without Consent

Meta's Muse Image Uses Public Instagram Photos Without Consent

Meta's Muse Image tool allows users to generate AI images by tagging public Instagram accounts, effectively using those accounts' photos as training material without explicit consent. Any Instagram user with a public profile can have their images incorporated into AI-generated creations by other users. The feature raises questions about image rights, consent, and Meta's approach to AI training data sourcing.

by Lauren Forristal· TechCrunch AI
Times accuses OpenAI of hiding evidence in copyright lawsuit

Times accuses OpenAI of hiding evidence in copyright lawsuit

The New York Times and other news publishers have filed a motion for sanctions against OpenAI, alleging the company concealed tools and datasets that could identify copyrighted journalism in ChatGPT outputs during their ongoing copyright lawsuit. The motion escalates the legal dispute by suggesting OpenAI withheld evidence relevant to the case. The publishers claim this hidden information is material to determining whether ChatGPT was trained on their copyrighted content and whether the model can be traced back to specific news sources.

by Rebecca Bellan· TechCrunch AI
69% of Enterprises Deploy AI Agents With Shared Credentials

69% of Enterprises Deploy AI Agents With Shared Credentials

VentureBeat research of 107 enterprises found that 69% run AI agents with shared API keys, a critical security gap where a single compromised agent gains access to all permissions tied to that credential. The finding has triggered a $22 billion acquisition spree by Palo Alto Networks, CrowdStrike, and Cisco targeting non-human identity management. Only 32% of enterprises give each AI agent its own scoped identity, leaving the majority exposed to lateral movement and forensic blind spots.

by louiswcolumbus@gmail.com (Louis Columbus)· VentureBeat AI
Bernanke Joins Anthropic's Governance Trust

Bernanke Joins Anthropic's Governance Trust

Anthropic's Long-Term Benefit Trust appointed former Federal Reserve Chair Ben Bernanke as its fourth member on Thursday. The trust is responsible for appointing board members for the AI safety company. Bernanke's appointment fills a key opening, though the trust still has one vacant seat of its five total positions.

by Cory Weinberg· The Information