The attacker who hit the most financial services organizations in the past 12 months never committed a password spoof. They called the IT support line, convinced the employee to reset the MFA, and registered their device on the network.
CrowdStrike 2026 Financial Services Threat Landscape ReportReleased this month and covering activity from April 2025 to March 2026, it identified Mutant Spider as the single most active threat to the financial services sector. The group’s main technique was voice phishing over Microsoft Teams. Operators impersonated internal IT support, convinced employees to reset their credentials and multi-factor authentication, then registered their devices on corporate networks. The security controls worked exactly as intended – and that was the problem.
Within days, the FBI issued one public service announcement Warning about Kali365, a phishing platform sold on Telegram for $250 per month. Kali365 pulls Microsoft 365 OAuth tokens through a legitimate device code authentication flow. The MFA fires at the victim’s device, not the attacker’s. The token provides persistent access to Outlook, Teams, and OneDrive without running another MFA command.
The Verizon 2026 Data Breach Investigations Reportalso released in May confirmed that credential theft breaches had dropped to 13% of primary access vectors. Exploiting vulnerabilities took the top spot with 31%, replacing what Verizon has long called the leading primary access category. These three independent sources are the same structural findings. MFA protects password-based authentication, but attacks prevalent in financial services are increasingly bypassed through password theft, resets, token grants, and exploits. The MFA Misexposure Audit Network at the end of this article maps all five confirmed attack surfaces from the CrowdStrike, FBI, and Verizon reports, what the MFA missed in each, and a specific fix for Monday morning.
The CrowdStrike numbers paint a sector under constant pressure
According to the CrowdStrike report, financial services ranked as the fourth most targeted sector by Q1 2026, accounting for 12% of all observed adversarial activity. Globally, financial institutions face 43% more keyboard intrusions in 2025 than two years ago. In North America, the figure was 48%.
The cybercrime side of the problem has grown faster than most advocates expected. Big game operators named 423 financial services on specific leak sites during the reporting period. This is a 27% increase from the 334 businesses mentioned in the previous 12 months. REVENANT SPIDER, which runs Qilin’s ransomware-as-a-service program, has landed the most financial services victims of any cybercriminal adversary on a dedicated leak site. The number of financial services victims of the group increased from 14 to 97 during the reporting period.
“Who needs a zero day, just call the help desk and say ‘I forgot my password’?” Adam Meyers, senior vice president of counter-adversarial operations at CrowdStrike, told VentureBeat. That one sentence captures the structural change his team has documented over twelve months of financial services interventions.
Interactive intrusion detection tells the story of who actually accesses these networks. Cybercriminal actors handled 75% of financial services intrusions. The remaining 25% were state-sponsored competitors. This rate has not changed since 2023. What is variable is the overall scope and complexity of the access techniques.
Mutant Spider’s vishing campaigns on Microsoft Teams reflect a structural change in the original entry. The group impersonates IT support, manipulates employees into resetting MFA, then deploys custom post-access tools including PrionFlaire, SocksLoader, and SleepyMutagen. CrowdStrike believes the group is selling this access to ransomware operators. Calling teams is the first step. The ransom note is the fifth step.
“Who needs a zero day, just call the help desk and say ‘I forgot my password’?”
Scattered Spider returned to aggressive ransomware operations against insurance companies from April to July 2025 after a significant operational hiatus beginning in December 2024. The group ran the same playbook it used from 2022: help desk social engineering; credential and MFA reset requests; then lateral movement through integrated SaaS applications to find data for extortion. In September 2025, the UK’s National Crime Agency arrested and charged two members for allegedly targeting Transport for London. The US Department of Justice separately accused one of them of numerous cyber attacks against US critical infrastructure.
State-sponsored groups have added scale and momentum
The government-sponsored report’s findings reinforce the identity problem in a different way. The DPRK-nexus was stolen by enemies $2.02 billion in digital assets In 2025, a 51% increase over the previous year. In February 2025, Pressure Chollima carried out the largest single heist ever reported, stealing $1.46 billion in cryptocurrency from Safe{Wallet}, a digital asset management platform that supports the Bybit exchange, after infecting a developer’s machine via a trojanized Python project. China-nexus groups have waged sustained campaigns against financial institutions on multiple continents. Hollow Panda used Check Point VPN devices to target banks in the Philippines, Indonesia and Brazil. Vault Panda gained initial access through insecure VPN and firewall devices on four continents. Every government-sponsored campaign documented by CrowdStrike shared a common theme. The adversary’s first move targeted an identity, credential, or trusted access path.
Elia Zaitsev, CTO of CrowdStrike, told VentureBeat in April that the speed of these operations exceeds traditional defense models. “Traditional approaches are not designed for this kind of behavior,” Zaitsev said.
Kali365 turns token theft into a subscription service
The FBI’s May 21st public service announcement on Kali365 confirmed a second avenue of attack that makes this a complex problem. The platform uses Microsoft’s OAuth 2.0 device authorization grant flow, a mechanism designed for devices such as smart TVs and conference room systems that do not support interactive access. Kali365 sends phishing emails impersonating trusted services such as Adobe Acrobat Sign, DocuSign, and SharePoint. The email contains a device code and instructions to access a legitimate Microsoft verification page. The victim authenticates as usual. MFA opens fire. The token goes to the attacker.
Arctic wolfpublished a technical deep dive on Kali365 in April that documented the three-level trading structure. Management level for developers, agent level for sellers and customer level for paying affiliates. Subscription prices range from $250 for 30 days to $2,000 for a year. The platform supports 14 languages and includes AI-generated phishing lures, automated campaign templates and a real-time tracking dashboard.
Device code streaming is not a vulnerability. This is a feature. Microsoft designed it for devices that do not support interactive input. The problem is that standard Entra ID configurations do not restrict its use, and most organizations have never checked whether legitimate workflows require it. Kali365 exploits the gap between design intent and deployment reality.
Verizon DBIR reinforced this assessment from a different angle. The 2026 edition analyzed more than 22,000 confirmed breaches in 145 countries. 31% vulnerability exploitation now leads to 13% abuse. Average time to full patch increased from 32 days to 43 days. Organizations patched only 26% of critical flaws in CISA’s catalog of Known Exploitable Vulnerabilities, down from 38% the previous year.
These data paint a clear picture. The industry has spent two decades building defenses against credential theft. Attacks that actually work in financial services either remove MFA through social engineering or capture tokens through legitimate authentication flows where MFA does not protect the attacker’s session.
MFA Improper Influence Audit Network
Security directors should conduct this audit against their environment this week. Each row represents a confirmed attack path from the three reports above.
|
Attack Surface |
Confirmed Event |
What MFA misses |
Activity |
|
Commands vishing/help desk MFA reset |
The most active FS attacker called employees in Teams, reset MFA, registered his device (CrowdStrike) |
The help desk verifies the identity of the caller without out-of-band confirmation. Social engineering completely eliminates MFA. |
Out-of-range validation for all MFA resets. FIDO2 hardware keys. Callback on a separate channel. |
|
OAuth device code flow |
The $250-a-month tool pulls M365 tokens through a device login page. The MFA does not fire at the attacker’s device. (FBI) |
Default Entra ID configurations are not restricted. The authentication channel separates the user’s MFA challenge from the attacker’s token grant. |
Limit device code flow on Entra ID conditional access. Block unmanaged devices. |
|
Token persistence |
Both roads end here. Trusted tokens can provide silent access for weeks or months depending on the token lifetime configuration. (CrowdStrike + FBI) |
Traditional credential-theft monitoring does not record token-based access. Tokens are bearer artifacts equivalent to credentials, but most detection tools do not classify them as such. |
Monitor OAuth refresh token usage from unknown devices. Token lifetime policies. |
|
The post-access SaaS movement |
After the reset, attackers redirected to SaaS applications for credentials and documents. (CrowdStrike, insurance industry) |
DLP monitors file downloads, not post-reset session activity or token-based API calls from authorized sessions. |
Audit Graph API access. Record batch operations from reset or device code sessions. |
|
Budget mismatch |
Credential theft 13%. Vuln exploitation 31%. (Verizon DBIR) Reverse-engineering Patch within 72 hours. (Ivanti) |
Legacy eliminates the threat that the entry-only MFA investment simply landed in third place. Token capture and social engineering sit outside of this investment. |
Rebalance towards token monitoring, session validation, identity verification for resets. |
Mike Riemer, SVP and field CISO at Ivanti, told VentureBeat in an exclusive interview that the speed issue exacerbated the budget discrepancy. “Dangerous actors are reverse-engineering patches, and the speed at which they do this has been greatly enhanced by artificial intelligence,” Riemer said. “They can reverse the patch within 72 hours. If I release a patch and the customer doesn’t patch within 72 hours of that release, they’re open to exploitation.”
The structural problem is clear
“People forget about security at work,” Zaitsev said. “We’ve done it before, with endpoint and virtualization and cloud. People are really focused on, hey, let’s fix all the vulnerabilities. It’s impossible. Let’s make sure we lock down all the permissions. For some reason, we always seem to miss something.”
Currently, the most important attackers in financial services do not steal passwords. They call the help desk. They use legitimate authentication flows. They hold tokens that last for months. Defense equipment, which has consumed the largest share of security budgets in the last decade, is pointed to the third threat.
The amendment does not add another layer of MFA – Zaitsev and Riemer both said as much. It reconsiders what the MFA actually protects, what it doesn’t, and where the budget should go next.
