Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive Guidance
Summary
Hide ▲
Show ▼
Phishing-resistant authentication is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel credential stuffing, AiTM relay attacks, and help desk social engineering. Legacy push, SMS, and TOTP factors can be relayed or fatigued into approval, so they do not reliably prove the real user is present. The guidance centers on FIDO2/WebAuthn-style controls with cryptographic origin binding, hardware-bound keys, and live biometric verification so the login fails if the origin is spoofed or the authorized person is absent.
Related Happenings
EvilTokens Microsoft 365 consent phishing campaign
Campaign
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Storm-2755 payroll pirate campaign targeting Canadian employees
Campaign
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
The **Storm-2755** campaign is stealing **Canadian employees' salary payments** by hijacking accounts through **Microsoft 365** phishing pages, creating immediate payroll-diversio...
Storm-2755 payroll pirate campaign targeting Canadian employees
CampaignAbout this happening: The **Storm-2755** campaign is stealing **Canadian employees' salary payments** by hijacking accounts through **Microsoft 365** phishing pages, creating immediate payroll-diversio...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Timeline
-
09.04.2026 17:02 2 articles · 1mo ago
Figure email exposure leads to phishing-resistant auth guidance
Technical Analysis UpdateA February 2026 Figure breach exposed nearly 967,200 email records and is framed as the starting point for downstream credential stuffing, targeted phishing, help desk social engineering, and adversary-in-the-middle relay attacks that can defeat push, SMS, and TOTP-based MFA. The recommended response is phishing-resistant authentication with cryptographic origin binding, hardware-bound private keys, and live biometric verification so a spoofed origin or relayed session cannot authenticate as the authorized individual.
Show sources
- When attackers already have the keys, MFA is just another door to open — www.bleepingcomputer.com — 09.04.2026 17:02
- When attackers already have the keys, MFA is just another door to open — www.bleepingcomputer.com — 09.04.2026 17:02