The Attack No One Is Talking About Loudly Enough

Forget the phishing email with the fake login page. That's old news.

The dominant attack on financial services right now involves a criminal calling your IT support line — often over Microsoft Teams — pretending to be a coworker, and convincing a helpdesk employee to reset their MFA. Once that's done, the attacker registers their own device. Security controls fire exactly as designed. The attacker gets in anyway.

That's the finding from CrowdStrike's 2026 Financial Services Threat Landscape Report, covering April 2025 through March 2026. CrowdStrike identified Mutant Spider as the single most active threat group targeting financial services over that period. Their weapon of choice wasn't malware. It was a phone call.

The Numbers Are Bad — And Getting Worse

Financial services accounted for 12% of all observed adversary activity by Q1 2026, ranking fourth among all sectors, according to CrowdStrike.

Hands-on-keyboard intrusions — meaning real humans actively operating inside compromised networks, not automated scripts — jumped 43% globally against financial institutions in 2025 compared to two years prior. In North America specifically, that number hit 48%.

Ransomware gangs are piling on. Big game hunting operators named 423 financial services entities on dedicated leak sites during the reporting period. That's a 27% increase from 334 entities the prior year. REVENANT SPIDER, which runs the Qilin ransomware-as-a-service operation, saw its financial services victim count explode from 14 to 97 in a single reporting cycle.

The Token Is the New Password

When you log in successfully — password plus MFA — the system issues you an authentication token. That token is a bearer credential. Whoever has it gets access. The system doesn't check who has it, only that it exists.

Attackers figured this out. They don't need your password. They don't even need to beat your MFA. They need the token issued after you already passed both.

According to Obsidian Security, token theft accounted for 31% of Microsoft 365 breaches in 2025, making it the top initial access vector. Refresh tokens are especially dangerous — they survive password resets and MFA invalidation. You can change your password after an incident, and an attacker holding your refresh token keeps access anyway.

FRSecure's incident response team handled 65 business email compromise cases in 2024-2025. Seventy-nine percent of those victims had MFA correctly deployed. Correctly. It didn't save them.

The $250 Hack Kit Anyone Can Buy

The FBI issued a public service announcement flagging Kali365, a phishing-as-a-service platform available on Telegram for as little as $250 a month.

Kali365 exploits Microsoft 365's legitimate device code authentication flow. MFA fires on the victim's device. The attacker receives the OAuth token. Then they have persistent, silent access to Outlook, Teams, and OneDrive — with NO additional MFA prompts required.

This is not some nation-state zero-day. This is a subscription service cheaper than Netflix's ad-free tier, automating token theft against corporate Microsoft environments.

What Verizon's Report Confirms

The Verizon 2026 Data Breach Investigations Report, also released this May, adds a third data point to the same pattern. According to Verizon, credential theft dropped to just 13% of breach initial access vectors — it used to be the top category. Vulnerability exploitation jumped to 31%, taking the top spot.

Attackers are diversifying their bypass routes. MFA was built to stop password theft. Password theft is no longer how the serious attackers are getting in.

What Mainstream Coverage Is Missing

Most tech and financial press coverage of this topic is still framing MFA as a solution with minor caveats. That framing is dangerously wrong.

MFA is a solved problem — for attackers. The technique is industrialized, cheap, and for sale on Telegram. The banks, brokerages, and credit unions that spent years rolling out MFA and telling customers they were protected need to say something different now. They aren't saying it.

These aren't exotic technical exploits requiring nation-state resources. Mutant Spider's primary weapon was a voice call. A real person convincing another real person to make a small administrative change. No code required.

What This Means for Regular People

If your bank, brokerage, or employer has been breached and you changed your password afterward — that may have done nothing. If an attacker grabbed your session token or registered their own device before you noticed, they could still be in.

Password hygiene still matters. MFA still matters — it raises the bar. But the bar got raised on defense, and offense cleared it.

Demand your financial institutions implement phishing-resistant authentication standards like FIDO2 hardware keys. Demand they verify device registrations. Demand they train helpdesk staff to resist social engineering — not just malware.

Because right now, the most dangerous attack on your money starts with someone picking up a phone.