Your MFA Is Working. The Attackers Are Getting In Anyway.

Why “we have multi-factor authentication” stopped being a reassuring sentence in 2026 — and what SMBs should do this week.

If you bought MFA in 2020 and forgot about it, this article is for you.

On May 24, 2026, the FBI put out an unusual flash alert. A phishing kit called Kali365 — sold as a subscription on Telegram, of all places — was hitting Microsoft 365 accounts at hundreds of organizations. The headlines screamed that it “bypasses MFA.” A few hours of reading made me realize that’s the wrong way to think about it. Kali365 doesn’t bypass MFA. It bypasses you — the part of the system that is still, embarrassingly, the easiest thing to attack.

If you run IT for a 50-to-500-person company, here’s what changed, why it changed, and what to do before the next vendor breach shows up in your inbox.

The end of “MFA equals secure”

For a long time, MFA was the line in the sand. You drew it between “people who got phished” and “people who didn’t.” In 2026, that line is somewhere it isn’t useful anymore.

Three things happened in the last month that I think every IT leader should know about:

1. Kali365 and the rise of consent phishing. The FBI alert describes a kit that tricks a user into clicking “Allow” on a malicious OAuth app. No password is typed. No MFA prompt is shown. The user authorizes an app, the app gets a refresh token, and from that point forward the attacker is the user — until someone revokes the token or it expires. Microsoft 365 sits behind more than a million U.S. companies. Most of them have no idea which third-party apps their employees have already authorized. (FBI warning, May 24, 2026; reported by TechRadar, HotHardware, TechTimes.)

2. CrowdStrike’s 2026 Financial Services Threat Report found that the single most common attacker against banks and insurers last year never phished a password at all. They phished a session. Once a user authenticated successfully, the attacker stole the cookie and rode it across the rest of the network. The report’s framing is sharp: MFA verifies who logged in. It has no idea what they do next.

3. SonicWall CVE-2024-12802. A previously-patched SSL-VPN authentication bypass got re-bypassed by a new flaw disclosed in mid-May. The lesson isn’t about SonicWall specifically. It’s that identity-layer bugs are showing up in the patches designed to fix identity-layer bugs. Every appliance you expose to the internet deserves a second look this quarter.

Put those three stories next to the GitHub breach on May 20 (a poisoned VS Code extension on an employee’s laptop, 3,800 internal repos gone in a single worm) and the picture is hard to argue with: the attackers have moved past your login screen.

What “phishing-resistant MFA” actually means

When I say “you have MFA,” I want to know which kind. The difference matters more than it used to.

Microsoft, Google, and CISA have all said, in writing, that FIDO2-based credentials are the only MFA worth buying for new deployments. If your authenticator app has a green “Approve” button, you should be planning a migration. Hardware keys cost roughly $25-$50 per employee. For a 100-person shop, that’s a one-weekend project and a meaningful dent in your attack surface.

The five things I’d do this month

If I were running IT at a small business and could only pick five things, this is the list — in order of how much risk it actually buys down:

1. Turn on conditional access. In Entra ID (Azure AD) or Google Workspace, require device compliance, block legacy authentication, and restrict sign-ins by country or IP range. Legacy auth is where most of the OAuth-token attacks still land. Microsoft has a one-click toggle in the Entra admin center. Do it this afternoon.

2. Audit OAuth consents. Go to https://myapps.microsoft.com (or the Google equivalent) and click “My Apps.” Look at every third-party app a user has authorized. You will be horrified. Revoke anything you don’t recognize. The Kali365 attack leaves a long trail of “Mailbox.Read” or “Files.ReadWrite” grants with publisher names like “K365Sync” or “CloudBackup365.” Train your finance and HR teams to never click “Accept” on a Microsoft 365 consent screen — full stop.

3. Move admin accounts to phishing-resistant MFA. Domain admins, finance, anyone who can move money or change payroll. Hardware key only. No exceptions. The single biggest dollar-loss events in 2025 all started with a privileged account.

4. Set session lifetime to 8 hours or less. A stolen token is only useful until it expires. Shorter sessions mean more re-auth prompts, but the alternative is a 30-day refresh token that an attacker can hand around the dark web.

5. Watch the post-authentication behavior, not the login. This is the conceptual shift. Push alerts, Slack messages, MFA prompts — those are login-layer signals. You also need post-login signals: which mailbox rules were created, which OAuth grants were added, which file-share permissions were changed in the last 24 hours. Microsoft Defender, Huntress, and a dozen newer tools now do this. Pick one and turn it on.

The thing I keep telling clients

I don’t say this to scare anyone. The attackers aren’t smarter than they were in 2022. They just got more patient. A Kali365 subscription costs a few hundred dollars a month. An hour of a junior analyst’s time at your company is worth more than that. The economics have flipped, and the defense has to flip with it.

MFA is still the best thing most of you have done. It’s just no longer the last thing. The next layer — what happens after a user proves who they are — is where the work is now. The good news: most of it is policy, not purchases. You can do a meaningful chunk of it this week, before the next alert shows up in your inbox.

Have a question about your own MFA setup? Reply to the newsletter — I read every message. If you want a second pair of eyes on your Microsoft 365 or Google Workspace tenant, that’s exactly the kind of thing we do.

Word count: ~1,090