The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.

Over the past year, the most prolific attacker of financial services organizations didn’t resort to phishing for passwords. Instead, they contacted an IT support line, persuaded an employee to reset their multi-factor authentication (MFA), and added their own device to the network.

CrowdStrike’s 2026 Financial Services Threat Landscape Report, released this month and analyzing data from April 2025 through March 2026, identified the group Mutant Spider as the primary threat to the financial services sector. Their main tactic involved voice phishing via Microsoft Teams, where they pretended to be internal IT support staff, convinced employees to reset their credentials and MFA, and subsequently registered their own devices on corporate networks. Ironically, the security control operated as intended, which was part of the issue.

Shortly after, the FBI issued a public service announcement about Kali365, a phishing-as-a-service platform available on Telegram for as little as $250 a month. Kali365 acquires Microsoft 365 OAuth tokens using the legitimate device code authentication flow, where MFA triggers on the victim’s device instead of the attacker’s. This grants the attacker continuous access to Outlook, Teams, and OneDrive without needing further MFA verification.

The Verizon 2026 Data Breach Investigations Report, also published in May, corroborated that credential theft fell to 13% of initial breach access vectors, while vulnerability exploitation became the top method at 31%, surpassing the long-standing leader. These findings from three independent sources highlight a common structural issue: MFA safeguards against password-based authentication, yet prevailing attacks in the financial sector bypass password theft through resets, token acquisitions, and exploitation. The MFA Bypass Exposure Audit Grid at the end of this article outlines five identified attack surfaces from the CrowdStrike, FBI, and Verizon reports, revealing what MFA fails to address and suggesting immediate corrective actions.

The CrowdStrike numbers reveal ongoing sector pressure

According to the CrowdStrike report, financial services ranked as the fourth most targeted sector by Q1 2026, representing 12% of all observed adversary activity. Globally, financial institutions experienced a 43% increase in hands-on-keyboard intrusions in 2025 compared to two years prior, with North America seeing a 48% rise.

The e-crime aspect of the issue expanded more rapidly than anticipated by many defenders. Big game hunting operators listed 423 financial services entities on dedicated leak sites within the reporting period, a 27% rise from the 334 entities mentioned in the previous year. REVENANT SPIDER, operating the Qilin ransomware-as-a-service program, recorded the highest number of financial services victims on its dedicated leak site, jumping from 14 to 97 victims over the period.

Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike, told VentureBeat, “Who needs a zero day if all you have to do is call the help desk and say, ‘I forgot my password’?” This statement encapsulates the structural change his team documented over twelve months of financial services intrusions.

The breakdown of intrusions shows who is actually infiltrating these networks. E-crime actors were responsible for 75% of hands-on-keyboard intrusions against financial services, while state-sponsored adversaries accounted for the remaining 25%. This ratio has remained stable since 2023, but the volume and sophistication of access techniques have evolved.

Mutant Spider’s vishing campaigns via Microsoft Teams mark a structural shift in initial access methods. The group impersonates IT support, persuades employees to reset MFA, and then deploys custom post-access tools like PrionFlaire, SocksLoader, and SleepyMutagen. CrowdStrike believes the group sells this access to ransomware operators. The Teams call is the initial step, leading to a ransom note as the final step.

“Who needs a zero day if all you have to do is call the help desk and say, ‘I forgot my password’?”

After a pause beginning in December 2024, Scattered Spider resumed aggressive ransomware activities against insurance companies from April to July 2025. The group followed its established playbook from 2022, involving help desk social engineering, credential and MFA reset requests, and lateral movement through integrated SaaS applications to identify data for extortion. In September 2025, the U.K.’s National Crime Agency arrested and charged two members for allegedly targeting Transport for London. The U.S. Department of Justice separately charged one of them with multiple cyberattacks against U.S. critical infrastructure.

State-sponsored groups increased scale and speed

The report’s findings on state-sponsored activities highlight a different facet of the identity problem. DPRK-nexus adversaries stole $2.02 billion in digital assets in 2025, a 51% increase from the previous year. In February 2025, Pressure Chollima carried out the largest single theft ever reported, stealing $1.46 billion in cryptocurrency by compromising Safe{Wallet}, a digital asset management platform supporting the Bybit exchange, after a developer’s machine was infected through a trojanized Python project. China-nexus groups conducted sustained campaigns against financial institutions across various continents. Hollow Panda exploited Check Point VPN appliances to target banks in the Philippines, Indonesia, and Brazil. Vault Panda gained initial access through compromised VPN and firewall appliances across four continents. Every state-sponsored campaign documented by CrowdStrike shared a common thread: the adversary’s first move targeted an identity, a credential, or a trusted access path.

Elia Zaitsev, CrowdStrike’s CTO, mentioned to VentureBeat in April that the speed of these operations is outstripping traditional defense models. “Traditional approaches are just not designed for this sort of behavior,” Zaitsev stated.

Kali365 transforms token theft into a subscription service

The FBI’s May 21 announcement on Kali365 confirmed the second attack path that compounds this issue. The platform exploits Microsoft’s OAuth 2.0 device authorization grant flow, designed for devices like smart TVs and conference room systems that cannot support interactive login. Kali365 sends phishing emails impersonating trusted services such as Adobe Acrobat Sign, DocuSign, and SharePoint. The email includes a device code and instructions to visit a legitimate Microsoft verification page. The victim authenticates as usual, MFA triggers, and the token is sent to the attacker.

Arctic Wolf provided a technical deep dive on Kali365 in April, detailing a three-tier commercial structure: an admin tier for developers, an agent tier for resellers, and a client tier for paying affiliates. Subscription costs range from $250 for 30 days to $2,000 for a year. The platform is available in 14 languages and includes AI-generated phishing lures, automated campaign templates, and a real-time tracking dashboard.

The device code flow is not a vulnerability; it is a feature. Microsoft designed it for devices lacking interactive login capabilities. The issue stems from default Entra ID configurations not restricting its usage, and many organizations have never audited whether any legitimate workflows require it. Kali365 exploits this gap between design intent and deployment reality.

The Verizon DBIR supported this assessment from another perspective. The 2026 edition analyzed over 22,000 confirmed breaches across 145 countries. Vulnerability exploitation at 31% now surpasses credential abuse at 13%. The median time for full patching has risen to 43 days, up from 32. Organizations patched only 26% of critical flaws in CISA’s Known Exploited Vulnerabilities catalog, down from 38% the prior year.

This data paints a clear picture. The industry has spent two decades fortifying defenses against credential theft. However, the attacks currently effective in financial services either eliminate MFA through social engineering or capture tokens via legitimate authentication flows where MFA does not protect the attacker’s session.

MFA Bypass Exposure Audit Grid

Security directors should conduct this audit on their environment this week. Each row represents a confirmed attack path from the three reports mentioned earlier.

Mike Riemer, SVP and field CISO at Ivanti, explained to VentureBeat in an exclusive interview that the speed issue exacerbates the budget misalignment. “Threat actors are reverse engineering patches, and the speed at which they’re doing it has been enhanced greatly by AI,” Riemer noted. “They’re able to reverse engineer a patch within 72 hours. If I release a patch and a customer doesn’t patch within 72 hours of that release, they’re open to exploit.”

The structural problem is evident

“People are forgetting about runtime security,” Zaitsev said. “We’ve done this before, with endpoint and virtualization and cloud. People really focused on, hey, let’s patch all the vulnerabilities. Impossible. Let’s make sure we lock down all the permissions. Somehow always seem to miss something.”

The attackers most relevant to financial services presently aren’t stealing passwords. They are calling help desks, exploiting legitimate authentication flows, and capturing tokens that last for months. The defenses that have consumed a significant portion of security budgets over the past decade are aimed at a threat that has now fallen to third place.

The solution isn’t adding more layers of MFA. Zaitsev and Riemer both emphasized the need to rethink what MFA actually protects, what it doesn’t, and where the budget should be directed next.