it

The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.

Published: (May 26, 2026 at 03:34 PM EDT)
9 min read
Source: VentureBeat

Source: VentureBeat

Financial Services Threat Landscape – 2026

The attacker who hit the most financial‑services organisations over the past 12 months never phished a password. They called an IT‑support line, convinced an employee to reset their MFA, and registered their own device on the network.

1. Key Findings

SourceTimeframePrimary ThreatPrimary Technique
CrowdStrike 2026 Financial Services Threat Landscape ReportApr 2025 – Mar 2026Mutant Spider (aka REVENANT SPIDER)Voice‑phishing (vishing) over Microsoft Teams → IT‑support impersonation → MFA reset → device registration
FBI Public Service AnnouncementMay 2026Kali365 (phishing‑as‑a‑service)OAuth token theft via Microsoft 365 device‑code flow; MFA fires on victim device, not attacker
Verizon 2026 Data Breach Investigations Report2025 dataOverall industry trendCredential‑theft ↓ 13 % of initial‑access vectors; Vulnerability exploitation ↑ 31 % (top vector)

“Who needs a zero‑day if all you have to do is call the help desk and say, ‘I forgot my password’?” – Adam Meyers, SVP, Counter‑Adversary Operations, CrowdStrike

2. Threat Actor Spotlight

2.1 Mutant Spider (aka REVENANT SPIDER)

  • Primary vector: Voice‑phishing (vishing) on Microsoft Teams.
  • Tactics:
    1. Impersonate internal IT support.
    2. Convince employees to reset credentials and MFA.
    3. Register attacker‑controlled device on the corporate network.
    4. Deploy custom post‑access tools (e.g., PrionFlaire, SocksLoader, SleepyMutagen).
    5. Sell access to ransomware operators; ransom note follows later.

2.2 Kali365 (FBI PSA)

  • Delivery: Sold on Telegram for as little as $250 / month.
  • Mechanism: Captures Microsoft 365 OAuth tokens via the legitimate device‑code authentication flow.
  • Impact:
    • MFA challenge appears on the victim’s device, not the attacker’s.
    • Tokens grant persistent access to Outlook, Teams, OneDrive without additional MFA prompts.

2.3 Scattered Spider

  • Timeline: Aggressive ransomware ops against insurance firms (Apr – Jul 2025) after a pause (Dec 2024).
  • Playbook (since 2022):
    1. Help‑desk social engineering.
    2. Credential & MFA‑reset requests.
    3. Lateral movement through integrated SaaS apps to locate data for extortion.
  • Legal actions:
    • Sep 2025 – UK National Crime Agency arrested two members (targeting Transport for London).
    • US Department of Justice charged one member for attacks on US critical infrastructure.

3. Industry‑Wide Statistics

3.1 Verizon 2026 DBIR

  • Credential theft13 % of breach initial‑access vectors (down from previous years).
  • Vulnerability exploitation31 % (now the top vector).

3.2 CrowdStrike 2026 Report

  • Financial services ranked 4th most‑targeted sector (Q1 2026).
  • Share of adversary activity: 12 % of all observed activity.
  • Hands‑on‑keyboard intrusions:
    • Global increase of 43 % in 2025 vs. 2023.
    • North America: 48 % increase.
  • E‑crime pressure:
    • 423 financial‑services entities listed on leak sites (↑ 27 % YoY).
    • REVENANT SPIDER victims rose from 14 to 97.
  • Intrusion source breakdown:
    • E‑crime actors: 75 % of hands‑on‑keyboard intrusions.
    • State‑sponsored actors: 25 % (stable since 2023).

4. MFA Bypass Exposure Audit Grid

The grid below maps the five confirmed attack surfaces (CrowdStrike, FBI, Verizon) to what MFA misses on each and the specific remediation for “Monday morning.”

Attack SurfaceWhat MFA MissesRecommended Fix
Voice‑phishing (Mutant Spider)MFA reset after social engineering bypasses the original credential check.Enforce privileged‑access‑management (PAM) for MFA reset requests; require dual‑approval and out‑of‑band verification.
OAuth token theft (Kali365)MFA is satisfied on the victim’s device; attacker reuses token.Deploy continuous token‑use monitoring; enforce short‑lived tokens and conditional access policies that flag anomalous device locations.
Credential‑theft (traditional)MFA protects only the initial login; session hijacking can persist.Implement session‑binding and re‑authentication for high‑risk actions; use behavioral analytics to detect abnormal activity.
Vulnerability exploitationMFA is irrelevant if attacker gains foothold via unpatched software.Adopt patch‑management and zero‑trust network segmentation; enforce micro‑segmentation for SaaS workloads.
State‑sponsored identity compromiseTargeted attacks on privileged accounts bypass MFA through compromised identities.Deploy identity‑centric Zero Trust: continuous risk scoring, adaptive MFA, and hardware‑based security keys for privileged users.

(Full detailed matrix available in the original report.)

5. State‑Sponsored Activity

  • DPRK‑nexus: Stole $2.02 B in digital assets (↑ 51 % YoY).
    • Feb 2025: Pressure Chollima stole $1.46 B by compromising Safe{Wallet} (Bybit) via a trojanized Python project.
  • China‑nexus:
    • Hollow Panda – exploited Check Point VPN appliances (Philippines, Indonesia, Brazil).
    • Vault Panda – compromised VPN & firewall appliances across four continents.
  • Common thread: First move always targets an identity, credential, or trusted access path.

“Traditional approaches are just not designed for this sort of behavior.” – Elia Zaitsev, CTO, CrowdStrike

6. Takeaway

  • MFA alone is no longer sufficient; attackers are bypassing it via social engineering, token theft, and credential resets.
  • Defenders must adopt a layered, identity‑centric strategy: privileged‑access controls, continuous token monitoring, adaptive MFA, and rapid patching.
  • Immediate actions (the “Monday‑morning fix”) include:
    1. Enforce dual‑approval for any MFA reset.
    2. Shorten OAuth token lifetimes and monitor anomalous usage.
    3. Deploy behavioral analytics for post‑login activity.
    4. Harden SaaS integrations with zero‑trust policies.
    5. Accelerate patch‑management and network micro‑segmentation.

By addressing the five attack surfaces identified across CrowdStrike, the FBI, and Verizon, financial‑services organisations can close the gaps that MFA currently misses and stay ahead of the evolving threat landscape.

Kali365 Turns Token Theft into a Subscription Service

The FBI’s May 21 public‑service announcement on Kali365 confirmed the second attack path that makes this a compound problem. The platform exploits Microsoft’s OAuth 2.0 device‑authorization grant flow, a mechanism designed for devices like smart TVs and conference‑room systems that cannot support interactive login.

  • Kali365 sends phishing emails impersonating trusted services such as Adobe Acrobat Sign, DocuSign, and SharePoint.
  • The email contains a device code and instructions to visit a legitimate Microsoft verification page.
  • The victim authenticates normally; MFA fires, but the token is sent to the attacker.

Arctic Wolf, which published a technical deep‑dive on Kali365 in April, documented a three‑tier commercial structure:

TierDescription
AdminFor the developers
AgentFor resellers
ClientFor paying affiliates

Subscription pricing runs from $250 for 30 days to $2,000 for a year. The platform supports 14 languages and includes AI‑generated phishing lures, automated campaign templates, and a real‑time tracking dashboard.

Note: The device‑code flow is not a vulnerability; it is a feature. Microsoft designed it for devices that cannot support interactive login. The problem is that default Entra ID configurations do not restrict its use, and most organizations have never audited whether any legitimate workflow actually requires it. Kali365 exploits that gap between design intent and deployment reality.

The Verizon DBIR reinforced that assessment from a different angle. The 2026 edition analyzed more than 22 000 confirmed breaches across 145 countries.

  • Vulnerability exploitation: 31 % (now leads)
  • Credential abuse: 13 %
  • Median time for full patching: 43 days (up from 32)
  • Organizations patched only 26 % of critical flaws in CISA’s Known Exploited Vulnerabilities catalog (down from 38 % the prior year)

That data creates a clear picture. The industry has spent two decades building defenses against credential theft. The attacks that are actually working in financial services either:

  1. Remove MFA through social engineering, or
  2. Capture tokens via legitimate authentication flows where MFA does not protect the attacker’s session.

MFA Bypass Exposure Audit Grid

Security directors need to run this audit against their environment this week. Each row represents a confirmed attack path from the three reports above.

Attack SurfaceConfirmed EventWhat MFA MissesRecommended Action
Teams vishing / help‑desk MFA resetMost active FS attacker called employees on Teams, got MFA reset, registered own device (CrowdStrike)Help‑desk verifies caller identity without out‑of‑band confirmation. Social engineering removes MFA entirely.Out‑of‑band verification for all MFA resets. Deploy FIDO2 hardware keys. Use a callback on a separate channel.
OAuth device‑code flow$250/mo tool captures M365 tokens via devicelogin page. MFA does not fire on attacker’s device. (FBI)Not restricted in default Entra ID configurations. Authentication channel separates user’s MFA challenge from attacker’s token grant.Restrict device‑code flow in Entra ID Conditional Access. Block unmanaged devices.
Token persistenceBoth paths end here. Valid tokens can grant weeks or months of silent access depending on token‑lifetime configuration. (CrowdStrike + FBI)Traditional credential‑theft monitoring does not flag token‑based access. Tokens are credential‑equivalent bearer artifacts, but most detection tools do not classify them that way.Monitor OAuth refresh‑token usage from unfamiliar devices. Enforce token‑lifetime policies.
Post‑access SaaS movementAfter reset, attackers pivoted to SaaS apps for credentials and docs. (CrowdStrike, insurance sector)DLP monitors file downloads, not post‑reset session activity or token‑based API calls from authorized sessions.Audit Graph API access. Flag bulk operations from reset or device‑code sessions.
Budget misalignmentCredential theft at 13 %. Vulnerability exploitation at 31 % (Verizon DBIR). Patch reverse‑engineering within 72 hours (Ivanti).Legacy, login‑only MFA investment addresses the threat that just dropped to third. Token capture and social engineering sit outside that investment.Rebalance toward token monitoring, session validation, identity verification for resets.

Mike Riemer, SVP and Field CISO at Ivanti, told VentureBeat in an exclusive interview that the speed problem compounds the budget misalignment.
Threat actors are reverse‑engineering patches, and the speed at which they’re doing it has been enhanced greatly by AI,” Riemer said. “They’re able to reverse‑engineer a patch within 72 hours. If I release a patch and a customer doesn’t patch within 72 hours of that release, they’re open to exploit.

The Structural Problem Is Clear

“People are forgetting about runtime security,” Zaitsev said. “We’ve done this before, with endpoint and virtualization and cloud. People really focused on, hey, let’s patch all the vulnerabilities. Impossible. Let’s make sure we lock down all the permissions. Somehow we always seem to miss something.”

The attackers who matter most in financial services right now are not stealing passwords. They are:

  • Calling help desks.
  • Exploiting legitimate authentication flows.
  • Capturing tokens that persist for months.

The defenses that consumed the largest share of security budgets for the past decade are pointed at a threat that has dropped to third place.

The fix is not adding another layer of MFA — Zaitsev and Riemer both said as much. It’s rethinking what MFA actually protects, what it doesn’t, and where the budget needs to go next.

0 views
#it #startups #ai
View source
Share:
Back to Blog

Related posts

Read more »