Scoopfeeds — Intelligent news, curated.
The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.
ai

The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.

VentureBeat AI · May 26, 2026, 7:34 PM

Why this matters: a development in AI with implications for how people work, create, and decide.

The attacker who hit the most financial services organizations over the past 12 months never phished a password. They called an IT support line, convinced an employee to reset their MFA, and registered their own device on the network.Crowd Strike’s 2026 Financial Services Threat Landscape Report, released this month and covering activity from April 2025 through March 2026, identified Mutant Spider as the single most active threat to the financial services sector. The group’s primary technique was voice phishing over Microsoft Teams. Operators impersonated internal IT support, convinced employees to reset their credentials and multifactor authentication, then registered their own devices on corporate networks. The security control worked exactly as designed — and that was the problem.Within days, the FBI published a public service announcement warning about Kali365, a phishing-as-a-service platform sold on Telegram for as little as $250 a month. Kali365 captures Microsoft 365 OAuth tokens through the legitimate device code authentication flow. MFA fires on the victim’s device, not the attacker’s. The token grants persistent access to Outlook, Teams, and OneDrive without triggering another MFA prompt.The Verizon 2026 Data Breach Investigations Report, also released in May, confirmed that credential theft dropped to 13% of breach initial access vectors. Vulnerability exploitation took the top position at 31%, displacing what Verizon called the longtime leading initial-access category. That's three independent sources, same structural finding. MFA protects password-based authentication, but the attacks dominating financial services increasingly bypass password theft through resets, token grants, and exploitation. The MFA Bypass Exposure Audit Grid at the end of this article maps all five confirmed attack surfaces from the CrowdStrike, FBI, and Verizon reports, what MFA misses on each one, and the specific fix for Monday morning.The CrowdStrike numbers paint a sector

Article preview — originally published by VentureBeat AI. Full story at the source.
Read full story on VentureBeat AI → More top stories

More in ai

TechCrunch AI
DuckDuckGo installs are up 30% as users reject being ‘force-fed’ Google’s AI Search
VentureBeat AI
DeepSWE blows up the AI coding leaderboard, crowns GPT-5.5, and finds Claude Opus exploiting a benchmark loophole
Wired
Why the Vatican Invited Anthropic to the Pope’s AI Encyclical Presentation
Wired
The Best Movies to Stream This Month (May 2026)
Wired
What Pope Leo XIV’s First Encyclical Says About the Power of AI

Browse all ai coverage →

Aggregated and edited by the Scoop newsroom. We surface news from VentureBeat AI alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop