The attacker who hit the most financial services organizations over the past 12 months never phished a password. They called an IT support line, convinced an employee to reset their MFA, and registered their own device on the network.
CrowdStrike’s 2026 Financial Services Threat Landscape Report, released this month and covering activity from April 2025 through March 2026, identified Mutant Spider as the single most active threat to the financial services sector. The group’s primary technique was voice phishing over Microsoft Teams. Operators impersonated internal IT support, convinced employees to reset their credentials and multifactor authentication, then registered their own devices on corporate networks. The security control worked exactly as designed — and that was the problem.
Within days, the FBI published a public service announcement warning about Kali365, a phishing-as-a-service platform sold on Telegram for as little as $250 a month. Kali365 captures Microsoft 365 OAuth tokens through the legitimate device code authentication flow. MFA fires on the victim’s device, not the attacker’s. The token grants persistent access to Outlook, Teams, and OneDrive without triggering another MFA prompt.
The Verizon 2026 Data Breach Investigations Report, also released in May, confirmed that credential theft dropped to 13% of breach initial access vectors. Vulnerability exploitation took the top position at 31%, displacing what Verizon called the longtime leading initial-access category. That’s three independent sources, same structural finding. MFA protects password-based authentication, but the attacks dominating financial services increasingly bypass password theft through resets, token grants, and exploitation. The MFA Bypass Exposure Audit Grid at the end of this article maps all five confirmed attack surfaces from the CrowdStrike, FBI, and Verizon reports, what MFA misses on each one, and the specific fix for Monday morning.
The CrowdStrike numbers paint a sector under sustained pressure
Financial services ranked as the fourth most targeted sector by Q1 2026, accounting for 12% of all observed adversary activity, according to the CrowdStrike report. Globally, financial institutions faced 43% more hands-on-keyboard intrusions in 2025 compared to two years earlier. In North America, that figure was 48%.
The e-crime side of the problem grew faster than most defenders expected. Big game hunting operators named 423 financial services entities on dedicated leak sites during the reporting period. That is a 27% increase from the 334 entities named in the prior 12 months. REVENANT SPIDER, which operates the Qilin ransomware-as-a-service program, posted the most financial services victims of any e-crime adversary on its dedicated leak site. The group’s financial services victim count jumped from 14 to 97 over the reporting period.
“Who needs a zero day if all you have to do is call the help desk and say, ‘I forgot my password’?” Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told VentureBeat. That one sentence captures the structural shift his team documented across twelve months of financial services intrusions.
The interactive intrusion breakdown tells the story of who is actually getting inside these networks. E-crime actors drove 75% of hands-on-keyboard intrusions against financial services. State-sponsored adversaries accounted for the remaining 25%. That ratio has not moved since 2023. What changed is the total volume and the sophistication of the access techniques.
Mutant Spider’s vishing campaigns over Microsoft Teams represent a structural shift in initial access. The group impersonates IT support, manipulates employees into resetting MFA, then deploys custom post-access tools including PrionFlaire, SocksLoader, and SleepyMutagen. CrowdStrike believes the group sells that access to ransomware operators. The Teams call is step one. The ransom note is step five.
“Who needs a zero day if all you have to do is call the help desk and say, ‘I forgot my password’?”
Scattered Spider returned to aggressive ransomware operations against insurance companies from April through July 2025, following a significant operational pause that began in December 2024. The group ran the same playbook it has used since 2022: help desk social engineering; credential and MFA reset requests; then lateral movement through integrated SaaS applications to locate data for extortion. In September 2025, the U.K.’s National Crime Agency arrested and charged two members for allegedly targeting Transport for London. The U.S. Department of Justice separately charged one of them in connection with multiple cyberattacks against U.S. critical infrastructure.
State-sponsored groups added scale and speed
The report’s state-sponsored findings reinforce the identity problem from a different direction. DPRK-nexus adversaries stole $2.02 billion in digital assets in 2025, a 51% increase from the prior year. In February 2025, Pressure Chollima executed the largest single theft ever reported, stealing $1.46 billion in cryptocurrency by compromising Safe{Wallet}, a digital asset management platform supporting the Bybit exchange, after a developer’s machine was infected through a trojanized Python project. China-nexus groups conducted sustained campaigns against financial institutions across multiple continents. Hollow Panda exploited Check Point VPN appliances to target banks in the Philippines, Indonesia, and Brazil. Vault Panda gained initial access through compromised VPN and firewall appliances across four continents. Every state-sponsored campaign CrowdStrike documented shared a common thread. The adversary’s first move targeted an identity, a credential, or a trusted access path.
Elia Zaitsev, CrowdStrike’s CTO, told VentureBeat in April that the speed of these operations is outpacing traditional defense models. “Traditional approaches are just not designed for this sort of behavior,” Zaitsev said.
Kali365 turns token theft into a subscription service
The FBI’s May 21 public service announcement on Kali365 confirmed the second attack path that makes this a compound problem. The platform exploits Microsoft’s OAuth 2.0 device authorization grant flow, a mechanism designed for devices like smart TVs and conference room systems that cannot support interactive login. Kali365 sends phishing emails impersonating trusted services like Adobe Acrobat Sign, DocuSign, and SharePoint. The email contains a device code and instructions to visit a legitimate Microsoft verification page. The victim authenticates normally. MFA fires. The token goes to the attacker.
VB Transform · July 14–15 · Menlo Park · Agentic security & identity
Your agents have email access, credit card access, and terminal access. What happens when they’re compromised?
Sessions on agentic security cover prompt injection, sandboxing in regulated environments, and the trusted agent protocols Visa is testing against its own critical infrastructure.
See the full agenda →
Arctic Wolf, which published a technical deep dive on Kali365 in April, documented a three-tier commercial structure. An admin tier for the developers, an agent tier for resellers, and a client tier for paying affiliates. Subscription pricing runs from $250 for 30 days to $2,000 for a year. The platform supports 14 languages and includes AI-generated phishing lures, automated campaign templates, and a real-time tracking dashboard.
The device code flow is not a vulnerability. It is a feature. Microsoft designed it for devices that cannot support interactive login. The problem is that default Entra ID configurations do not restrict its use, and most organizations have never audited whether any legitimate workflow actually requires it. Kali365 exploits that gap between design intent and deployment reality.
The Verizon DBIR reinforced that assessment from a different angle. The 2026 edition analyzed more than 22,000 confirmed breaches across 145 countries. Vulnerability exploitation at 31% now leads credential abuse at 13%. The median time for full patching increased to 43 days, up from 32. Organizations patched only 26% of critical flaws in CISA’s Known Exploited Vulnerabilities catalog, down from 38% the prior year.
That data creates a clear picture. The industry has spent two decades building defenses against credential theft. The attacks that are actually working in financial services either remove MFA through social engineering or capture tokens through legitimate authentication flows where MFA does not protect the attacker’s session.
MFA Bypass Exposure Audit Grid
Security directors need to run this audit against their environment this week. Each row represents a confirmed attack path from the three reports above.
|
Attack Surface
|
Confirmed Event
|
What MFA Misses
|
Action
|
|
Teams vishing/help desk MFA reset
|
Most active FS attacker called employees on Teams, got MFA reset, registered own device (CrowdStrike)
|
Help desk verifies caller identity without out-of-band confirmation. Social engineering removes MFA entirely.
|
Out-of-band verification for all MFA resets. FIDO2 hardware keys. Callback on a separate channel.
|
|
OAuth device code flow
|
$250/mo tool captures M365 tokens via devicelogin page. MFA does not fire on attacker’s device. (FBI)
|
Not restricted in default Entra ID configurations. Authentication channel separates user’s MFA challenge from attacker’s token grant.
|
Restrict device code flow in Entra ID conditional access. Block unmanaged devices.
|
|
Token persistence
|
Both paths end here. Valid tokens can grant weeks or months of silent access depending on token lifetime configuration. (CrowdStrike + FBI)
|
Traditional credential-theft monitoring does not flag token-based access. Tokens are credential-equivalent bearer artifacts, but most detection tools do not classify them that way.
|
Monitor OAuth refresh token usage from unfamiliar devices. Token lifetime policies.
|
|
Post-access SaaS movement
|
After reset, attackers pivoted to SaaS apps for credentials and docs. (CrowdStrike, insurance sector)
|
DLP monitors file downloads, not post-reset session activity or token-based API calls from authorized sessions.
|
Audit Graph API access. Flag bulk ops from reset or device-code sessions.
|
|
Budget misalignment
|
Credential theft at 13%. Vuln exploitation at 31%. (Verizon DBIR) Patch reverse-engineering within 72 hours. (Ivanti)
|
Legacy, login-only MFA investment addresses the threat that just dropped to third. Token capture and social engineering sit outside that investment.
|
Rebalance toward token monitoring, session validation, identity verification for resets.
|
Mike Riemer, SVP and field CISO at Ivanti, told VentureBeat in an exclusive interview that the speed problem compounds the budget misalignment. “Threat actors are reverse engineering patches, and the speed at which they’re doing it has been enhanced greatly by AI,” Riemer said. “They’re able to reverse engineer a patch within 72 hours. If I release a patch and a customer doesn’t patch within 72 hours of that release, they’re open to exploit.”
The structural problem is clear
“People are forgetting about runtime security,” Zaitsev said. “We’ve done this before, with endpoint and virtualization and cloud. People really focused on, hey, let’s patch all the vulnerabilities. Impossible. Let’s make sure we lo
ck down all the permissions. Somehow always seem to miss something.”
The attackers who matter most in financial services right now are not stealing passwords. They are calling help desks. They are exploiting legitimate authentication flows. They are capturing tokens that persist for months. The defenses that consumed the largest share of security budgets for the past decade are pointed at a threat that just dropped to third place.
The fix is not adding another layer of MFA — Zaitsev and Riemer both said as much. It’s rethinking what MFA actually protects, what it doesn’t, and where the budget needs to go next.
To pull this off, a very basic HTML page was turned into a series of UTF-8 encoded bytes that were then declared to be a standard PNG image. The original 208 byte payload plus 4-byte PNG header only used part of a 9×9 pixel favicon. With a larger favicon image as typically used you could thus easily store more data, whether as visual noise like here or a bit more hidden.
You must be logged in to post a comment Login