Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
In physical penetration testing, practitioners commonly find a number of absurd things: Tightly locked doors with exposed hinges which can merely be unscrewed, expensive security cameras pointed at walls, and tall security barriers alongside unlocked gates. These otherwise effective tools are configured in such a way as to make them useless for defence.
Such is increasingly the case with Multi-Factor Authentication (MFA) - an effective security control that, due to a number of oversights, is glaringly vulnerable. MFA was long hailed as a long overdue replacement for the password/username combinations that had failed to secure data and access for years. Buffeted by the ubiquity of mobile phones, MFA is now a basic standard for many different services, organisations, platforms and technologies.
Yet for every new technology that emerges, threat actors will surely find some way to exploit it. Indeed they have, as for every factor of security that MFA uses, there is some way to phish or otherwise exploit it.
Defeating MFA
Recent years have made this highly noticeable. The SMS code, push notifications and devices that are supposed to add extra layers of security remain highly phishable. Attackers have proven it.
In 2022, a Lapsus$ group associate bought the private information of an Uber contractor off the dark web. They then started spamming that contractor’s phone with push notifications, and then after an hour of bombardment, contacted the contractor pretending to be Uber IT support and said that it was due to a bug, and that they had to accept the push notification in order to stop it. The contractor acceded, and this one momentary oversight led to the attacker gaining access to Uber’s internal systems and applications including their AWS, Google Cloud, SentinelOne and even their internal password managers. These “MFA fatigue” attacks have proven remarkably successful and according to the 2025 Verizon Data Breach Investigations Report, there has been a 217% rise in MFA fatigue attacks.
In September 2023, a group dubbed Scattered Spider collected information on a senior employee at MGM Resorts in Las Vegas. Using that information, they called the MGM helpdesk under the guise of that employee, claimed they had lost their devices and requested that the MFA tied to the users’ account be reset. The help desk complied and MGM ultimately suffered tens of millions in losses as a result of the ensuing paralysis.
Even more recently - In March 2026 - a Canadian telecoms giant, Telus, was taken for a purported 700 terabytes of sensitive information. Attackers used a SneakyLog kit and a deluge of AI-generated emails, to steal active sessions tokens, thus bypassing MFA entirely as those tokens signified that MFA had already been cleared.
Evil Engines
There has grown a veritable industry around defeating phishing defence; an underground world of vendors and developers which are actively developing and offering the tools, advice and tactics required to get around phishing protections and MFA. Perhaps the best known example is Evilginx or - as was used in the Telus breach - SneakyLog.
Both tools - across one application and platform or another - are used for session hijacking. These involve theft of OAuth tokens from users who have already bypassed MFA checks. From there, attackers can proceed into an environment as though they too had already passed MFA.
Those session tokens are acquired through what is known as an “Adversary in the middle” attack in which an attacker uses a service like SneakyLog or Evilginx to interfere with the interaction between the user and the service. In that effort, the adversary will alter or clone the service’s login pages, stealing the information the user puts in and then replaying that to the legitimate login page. When the MFA prompt gets forwarded to the user, they then accept, generating a session token which, while granting access to the legitimate user, is simultaneously copied by the attacker who is sitting in between the service and user.
This is where MFA so often falls perilously short. It authenticates the user to the service, but not - crucially - the service to the user. By interfering with the service, attackers can thus effectively piggyback on the legitimate login so as to be granted their session token, and thus access, at the same time as that legitimate user.
Attackers are nothing if not adaptive. While MFA has limited their ability to gain unauthorised access using traditional methods such as Brute Force attacks, they have now shifted their attention to target the service, as a way of compromising the users access.
What we might now call legacy MFA on its own is simply no longer sufficient to offset unauthorised access. Moreover, an entire illicit industry of tools and vendors has grown up in the cybercriminal underground with the sole intention of circumventing it.
Unfortunately for many organisations, it's only just as they update their security controls that they become irrelevant or severely compromised by the development of a new attack strategy. Still, defenders must once again accommodate the new risks involved in MFA.
Phishing resistant - authentication
To do that, a layer of phishing-resistant authentication must be applied as part of MFA. While legacy MFA improves upon username/password combinations by adding technical authentication factors on top of it - those can still be phished. To that end, the technical authentication must go deeper and indeed, solutions have emerged to precisely address these problems.
Solutions that implement FIDO2 (Fast IDentity Online 2) eliminate session theft at time of authentication by only permitting the user's identity to be released to verified legitimate websites (domains). In turn, a threat actor using tools such as SneakyLog or Evilginx will never receive a session token as the decision to authenticate to the website has been taken out of the users hands.
MFA as we knew it was the right solution for its time. It largely solved the problems that characterised the long-outdated username/password combinations of yesteryear. But cybersecurity is a game of cat and mouse, and attackers are constantly looking for new ways to circumvent defences. Session token hijacking is just one of those, but thus far has proved so successful that an industry has grown up around it. For defenders, the next step needs to be taken, and MFA needs to be augmented to authenticate the service as well as the user. Cryptographic binding through FIDO2 or WebAuthn serves as an important reinforcement against this burgeoning industry of session token hijacking.
