The attacker that hit most financial services organizations in the last 12 months never phished a password. He called an IT support line, convinced an employee to reset his MFA, and registered his device on the network.
CrowdStrike’s 2026 Financial Services Threat Landscape Report, released this month and covering activity from April 2025 to March 2026, identified mutant spiders as the most active threat to the financial services sector. The group’s primary technique was voice phishing on Microsoft Teams. The operators impersonated internal IT support, persuaded employees to reset their credentials and multifactor authentication, then registered their own devices on the corporate network. The security controls worked exactly as designed – and that was the problem.
Within days, the FBI published a public service announcement warning about Kali365, a phishing-as-a-service platform sold on Telegram for a mere $250 per month. Kali365 captures the Microsoft 365 OAuth token through a valid device code authentication flow. MFA fires on the victim’s device, not the attacker’s. The token provides persistent access to Outlook, Teams, and OneDrive without triggering another MFA prompt.
The Verizon 2026 data breach investigation report released in May confirmed that credential theft dropped to 13% of initial access vectors of breaches. Vulnerability exploitation took the top spot with 31%, displacing what Verizon had long called the leading early-access category. These are three independent sources, with similar structural findings. MFA protects password-based authentication, but the attacks dominating financial services increasingly bypass password theft through rapid resets, token grants, and exploits. The MFA Bypass Exposure Audit Grid at the end of this article maps all five confirmed attack surfaces from the CrowdStrike, FBI, and Verizon reports, what MFA missed in each, and specific fixes as of Monday morning.
CrowdStrike numbers portray an area under constant pressure
According to the CrowdStrike report, financial services is ranked as the fourth most targeted sector by Q1 2026, accounting for 12% of all observed adverse activities. Globally, financial institutions face 43% more hands-on-keyboard intrusions in 2025 than two years ago. In North America the figure was 48%.
The e-crime side of the problem grew faster than most defenders expected. Big game hunting operators named 423 financial services entities on dedicated leak sites during the reporting period. This is an increase of 27% from the 334 entities named in the previous 12 months. Revenant Spider, which operates the Quillin ransomware-as-a-service program, has posted the most number of financial services victims of any e-crime adversary on its dedicated leak site. The number of group financial services victims rose from 14 to 97 in the reporting period.
“Who needs a zero day if all you have to do is call the help desk and say, ‘I’ve forgotten my password’?” Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told VentureBeat. This one sentence captures the structural change his team has documented during twelve months of infiltrating financial services.
The breakdown of interactive intrusions tells the story of who is actually getting inside these networks. E-crime actors carried out 75% of practical intrusions against financial services. The remaining 25% stake was held by state-sponsored rivals. There has been no change in that ratio since 2023. What has changed is the overall volume and sophistication of access technologies.
Mutant Spider’s fascinating campaigns on Microsoft Teams represent a structural shift in early access. The group impersonates IT support, manipulates employees into resetting MFA, then deploys custom post-access tools, including prionflare, soxloader, and sleepymutagen. CrowdStrike believes the group sells that access to ransomware operators. Team call is the first step. The ransom note is step five.
“Who needs a zero day if all you have to do is call the help desk and say, ‘I’ve forgotten my password’?”
After a significant operational pause that began in December 2024, Scattered Spider returned to aggressive ransomware operations against insurance companies from April to July 2025. The group ran the same playbook it has used since 2022: help desk social engineering; Credential and MFA reset requests; Then lateral movement through integrated SaaS applications to trace the data for extortion. In September 2025, the UK’s National Crime Agency arrested and charged two members of the National Crime Agency for allegedly targeting Transport for London. The US Justice Department charged one of them separately in connection with multiple cyberattacks against US critical infrastructure.
State-sponsored groups added scale and momentum
The report’s state-sponsored findings reinforce the identity problem from a different direction. DPRK-Nexus adversaries stole $2.02 billion worth of digital assets in 2025, a 51% increase from the previous year. In February 2025, Pressure Chollima carried out the largest single heist to date, stealing $1.46 billion in cryptocurrency by compromising Safe{Wallet}, a digital asset management platform supporting the Bybit exchange, after infecting a developer’s machine via a trojanized Python project. China-collusive groups conducted sustained campaigns against financial institutions across multiple continents. Hollow Panda exploited Check Point VPN devices to target banks in the Philippines, Indonesia, and Brazil. Vault Panda gained initial access through compromised VPN and firewall devices on four continents. Each state-sponsored campaign CrowdStrike shared a common thread. The adversary’s first steps targeted an identity, a credential, or a trusted access path.
CrowdStrike CTO Elia Zaitsev told VentureBeat in April that the pace of these operations is outpacing traditional defense models. “Traditional approaches are not designed for this type of behavior,” Zaitsev said.
Kali365 turns token theft into a subscription service
The FBI’s May 21 public service announcement on Kali365 confirmed the second attack path, making it a compound problem. The platform uses Microsoft’s OAuth 2.0 device authorization grant flow, a mechanism designed for devices such as smart TVs and conference room systems that may not support interactive logins. Kali365 sends phishing emails impersonating trusted services like Adobe Acrobat Sign, DocuSign, and SharePoint. The email contains a device code and instructions to visit a valid Microsoft verification page. The victim usually testifies. MFA fires. The token goes to the attacker.
Arctic Wolf, which published a technical deep dive on Kali365 in April, documented a three-tier commercial structure. An administrator tier for developers, an agent tier for resellers, and a customer tier for paying affiliates. Subscription pricing ranges from $250 for 30 days to $2,000 for a year. The platform supports 14 languages and includes AI-generated phishing lures, automated campaign templates, and a real-time tracking dashboard.
Device code flow does not have any vulnerabilities. This is a specialty. Microsoft designed it for devices that cannot support interactive login. The problem is that the default Entra ID configuration does not restrict its use, and most organizations have never audited whether a legitimate workflow actually requires it. Kali365 takes advantage of that gap between design intent and deployment reality.
The Verizon DBIR reinforced that assessment from a different angle. The 2026 edition analyzed more than 22,000 confirmed violations in 145 countries. Vulnerability exploitation at 31% now causes credential misuse at 13%. The average time for complete patching has increased from 32 to 43 days. Organizations have fixed only 26% of the critical vulnerabilities on CISA’s list of known exploited vulnerabilities, down from 38% last year.
That data creates a clear picture. The industry has spent two decades building protections against credential theft. The attacks that are actually working in financial services either circumvent MFA through social engineering or capture tokens through legitimate authentication flows where MFA does not protect the attacker’s session.
MFA Bypass Exposure Audit Grid
Security directors need to run this audit against their environment this week. Each line represents a confirmed attack path from the three reports above.
| attack surface |
confirmed incident |
What does the MFA miss? |
action |
|
Teams Wishing/Help Desk MFA Reset |
The most active FS attacker called employees on Teams, reset MFA, registered his device (CrowdStrike) |
Help Desk confirms the caller’s identity without out-of-band confirmation. Social engineering removes MFA completely. |
Out-of-band verification for all MFA resets. FIDO2 Hardware Keys. Callback on a different channel. |
|
OAuth device code flow |
The $250/month tool captures M365 tokens through the device login page. MFA does not fire at the attacker’s device. (FBI) |
The default Entra ID is not restricted in the configuration. The authentication channel separates the user’s MFA challenge from the attacker’s token grant. |
Entra ID Restrict device code flow in conditional access. Block unmanaged devices. |
|
symbolic persistence |
Both routes end here. Valid token token lifetime can provide siled access for weeks or months depending on configuration. (Crowdstrike + FBI) |
Traditional credential-theft monitoring does not flag token-based access. Tokens are credential-equivalent carrier artifacts, but most detection tools do not classify them as such. |
Monitor OAuth refresh token usage from unrecognized devices. Token whole life policies. |
|
SaaS movement after access |
After the reset, attackers turned to SaaS apps for credentials and documents. (CrowdStrike, Insurance Sector) |
DLP monitors file downloads, not reset session activity or token-based API calls from authorized sessions. |
Audit Graph API access. Flag bulk ops from reset or device-code session. |
|
budget misalignment |
Credential theft at 13%. Wool exploitation at 31%. (Verizon DBIR) Reverse-engineered patch within 72 hours. (Ivanthi) |
Legacy, login-only MFA investing addresses a threat that has just dropped to third place. Token capture and social engineering are excluded from that investment. |
Rebalancing towards token monitoring, session verification, identity verification for reset. |
Mike Reimer, Ivanti’s SVP and field CISO, told VentureBeat in an exclusive interview that the speed problem is exacerbated by budget misalignment. “Threat actors are reverse engineering patches, and the speed at which they are doing this has been greatly enhanced by AI,” Reimer said. “They are able to reverse engineer a patch within 72 hours. If I release a patch and a customer doesn’t patch within 72 hours of that release, they are ripe for exploitation.”
The structural problem is clear
“People are forgetting about runtime security,” Zaitsev said. “We’ve done this before, with endpoints and virtualization and the cloud. People really focused on, hey, let’s fix all the vulnerabilities. It’s impossible. Let’s make sure we find
Remove all permissions. Somehow something always seems to be missing.”
The attackers who matter most in financial services right now aren’t stealing passwords. They are calling the help desk. They are exploiting legitimate authentication flows. They are capturing tokens that persist for months. Security, which has consumed the largest share of security budgets over the past decade, is facing a threat that has now dropped to third place.
The fix isn’t adding another layer of MFA – Zaitsev and Reimer both said as much. It is rethinking what the MFA actually protects, what it does not and where the budget needs to go next.
<a href