The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token. | Venture Beat

Overview

The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.

The attacker who hit the most financial services organizations over the past 12 months never phished a password. They called an IT support line, convinced an employee to reset their MFA, and registered their own device on the network.

Details

Crowd Strike’s 2026 Financial Services Threat Landscape Report, released this month and covering activity from April 2025 through March 2026, identified Mutant Spider as the single most active threat to the financial services sector. The group’s primary technique was voice phishing over Microsoft Teams. Operators impersonated internal IT support, convinced employees to reset their credentials and multifactor authentication, then registered their own devices on corporate networks. The security control worked exactly as designed — and that was the problem.

Within days, the FBI published a public service announcement warning about Kali 365, a phishing-as-a-service platform sold on Telegram for as little as $250 a month. Kali 365 captures Microsoft 365 OAuth tokens through the legitimate device code authentication flow. MFA fires on the victim’s device, not the attacker’s. The token grants persistent access to Outlook, Teams, and One Drive without triggering another MFA prompt.

The Verizon 2026 Data Breach Investigations Report, also released in May, confirmed that credential theft dropped to 13% of breach initial access vectors. Vulnerability exploitation took the top position at 31%, displacing what Verizon called the longtime leading initial-access category. That's three independent sources, same structural finding. MFA protects password-based authentication, but the attacks dominating financial services increasingly bypass password theft through resets, token grants, and exploitation. The MFA Bypass Exposure Audit Grid at the end of this article maps all five confirmed attack surfaces from the Crowd Strike, FBI, and Verizon reports, what MFA misses on each one, and the specific fix for Monday morning.

The Crowd Strike numbers paint a sector under sustained pressure

Financial services ranked as the fourth most targeted sector by Q1 2026, accounting for 12% of all observed adversary activity, according to the Crowd Strike report. Globally, financial institutions faced 43% more hands-on-keyboard intrusions in 2025 compared to two years earlier. In North America, that figure was 48%.

The e-crime side of the problem grew faster than most defenders expected. Big game hunting operators named 423 financial services entities on dedicated leak sites during the reporting period. That is a 27% increase from the 334 entities named in the prior 12 months. REVENANT SPIDER, which operates the Qilin ransomware-as-a-service program, posted the most financial services victims of any e-crime adversary on its dedicated leak site. The group’s financial services victim count jumped from 14 to 97 over the reporting period.

“Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?” Adam Meyers, senior vice president of counter adversary operations at Crowd Strike, told Venture Beat. That one sentence captures the structural shift his team documented across twelve months of financial services intrusions.

The interactive intrusion breakdown tells the story of who is actually getting inside these networks. E-crime actors drove 75% of hands-on-keyboard intrusions against financial services. State-sponsored adversaries accounted for the remaining 25%. That ratio has not moved since 2023. What changed is the total volume and the sophistication of the access techniques.

Mutant Spider’s vishing campaigns over Microsoft Teams represent a structural shift in initial access. The group impersonates IT support, manipulates employees into resetting MFA, then deploys custom post-access tools including Prion Flaire, Socks Loader, and Sleepy Mutagen. Crowd Strike believes the group sells that access to ransomware operators. The Teams call is step one. The ransom note is step five.

“Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?”

“Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?”

Scattered Spider returned to aggressive ransomware operations against insurance companies from April through July 2025, following a significant operational pause that began in December 2024. The group ran the same playbook it has used since 2022: help desk social engineering; credential and MFA reset requests; then lateral movement through integrated Saa S applications to locate data for extortion. In September 2025, the U. K.’s National Crime Agency arrested and charged two members for allegedly targeting Transport for London. The U. S. Department of Justice separately charged one of them in connection with multiple cyberattacks against U. S. critical infrastructure.

Elia Zaitsev, Crowd Strike’s CTO, told Venture Beat in April that the speed of these operations is outpacing traditional defense models. “Traditional approaches are just not designed for this sort of behavior,” Zaitsev said.

Kali 365 turns token theft into a subscription service

Arctic Wolf, which published a technical deep dive on Kali 365 in April, documented a three-tier commercial structure. An admin tier for the developers, an agent tier for resellers, and a client tier for paying affiliates. Subscription pricing runs from

The Verizon DBIR reinforced that assessment from a different angle. The 2026 edition analyzed more than 22,000 confirmed breaches across 145 countries. Vulnerability exploitation at 31% now leads credential abuse at 13%. The median time for full patching increased to 43 days, up from 32. Organizations patched only 26% of critical flaws in CISA’s Known Exploited Vulnerabilities catalog, down from 38% the prior year.

That data creates a clear picture. The industry has spent two decades building defenses against credential theft. The attacks that are actually working in financial services either remove MFA through social engineering or capture tokens through legitimate authentication flows where MFA does not protect the attacker’s session.

Security directors need to run this audit against their environment this week. Each row represents a confirmed attack path from the three reports above.

Most active FS attacker called employees on Teams, got MFA reset, registered own device (Crowd Strike)

Most active FS attacker called employees on Teams, got MFA reset, registered own device (Crowd Strike)

Help desk verifies caller identity without out-of-band confirmation. Social engineering removes MFA entirely.

Help desk verifies caller identity without out-of-band confirmation. Social engineering removes MFA entirely.

Out-of-band verification for all MFA resets. FIDO2 hardware keys. Callback on a separate channel.

Out-of-band verification for all MFA resets. FIDO2 hardware keys. Callback on a separate channel.

Not restricted in default Entra ID configurations. Authentication channel separates user’s MFA challenge from attacker’s token grant.

Not restricted in default Entra ID configurations. Authentication channel separates user’s MFA challenge from attacker’s token grant.

Restrict device code flow in Entra ID conditional access. Block unmanaged devices.

Restrict device code flow in Entra ID conditional access. Block unmanaged devices.

Both paths end here. Valid tokens can grant weeks or months of silent access depending on token lifetime configuration. (Crowd Strike + FBI)

Both paths end here. Valid tokens can grant weeks or months of silent access depending on token lifetime configuration. (Crowd Strike + FBI)

Traditional credential-theft monitoring does not flag token-based access. Tokens are credential-equivalent bearer artifacts, but most detection tools do not classify them that way.

Traditional credential-theft monitoring does not flag token-based access. Tokens are credential-equivalent bearer artifacts, but most detection tools do not classify them that way.

Monitor OAuth refresh token usage from unfamiliar devices. Token lifetime policies.

Monitor OAuth refresh token usage from unfamiliar devices. Token lifetime policies.

After reset, attackers pivoted to Saa S apps for credentials and docs. (Crowd Strike, insurance sector)

After reset, attackers pivoted to Saa S apps for credentials and docs. (Crowd Strike, insurance sector)

DLP monitors file downloads, not post-reset session activity or token-based API calls from authorized sessions.

DLP monitors file downloads, not post-reset session activity or token-based API calls from authorized sessions.

Audit Graph API access. Flag bulk ops from reset or device-code sessions.

Audit Graph API access. Flag bulk ops from reset or device-code sessions.

Credential theft at 13%. Vuln exploitation at 31%. (Verizon DBIR) Patch reverse-engineering within 72 hours. (Ivanti)

Credential theft at 13%. Vuln exploitation at 31%. (Verizon DBIR) Patch reverse-engineering within 72 hours. (Ivanti)

Rebalance toward token monitoring, session validation, identity verification for resets.

Rebalance toward token monitoring, session validation, identity verification for resets.

Mike Riemer, SVP and field CISO at Ivanti, told Venture Beat in an exclusive interview that the speed problem compounds the budget misalignment. “Threat actors are reverse engineering patches, and the speed at which they’re doing it has been enhanced greatly by AI,” Riemer said. “They’re able to reverse engineer a patch within 72 hours. If I release a patch and a customer doesn’t patch within 72 hours of that release, they’re open to exploit.”

“People are forgetting about runtime security,” Zaitsev said. “We’ve done this before, with endpoint and virtualization and cloud. People really focused on, hey, let’s patch all the vulnerabilities. Impossible. Let’s make sure we lock down all the permissions. Somehow always seem to miss something.”

The attackers who matter most in financial services right now are not stealing passwords. They are calling help desks. They are exploiting legitimate authentication flows. They are capturing tokens that persist for months. The defenses that consumed the largest share of security budgets for the past decade are pointed at a threat that just dropped to third place.

The fix is not adding another layer of MFA — Zaitsev and Riemer both said as much. It's rethinking what MFA actually protects, what it doesn't, and where the budget needs to go next.

Deep insights for enterprise AI, data, and security leaders

By submitting your email, you agree to our Terms and Privacy Notice.

Key Takeaways

• The attack dominating financial services doesn't steal passwords

• The attacker who hit the most financial services organizations over the past 12 months never phished a password

• Crowd Strike’s 2026 Financial Services Threat Landscape Report, released this month and covering activity from April 2025 through March 2026, identified Mutant Spider as the single most active threat to the financial services sector

• Within days, the FBI published a public service announcement warning about Kali 365, a phishing-as-a-service platform sold on Telegram for as little as $250 a month

• The Verizon 2026 Data Breach Investigations Report, also released in May, confirmed that credential theft dropped to 13% of breach initial access vectors