Phishing-resistant authentication to block post-breach credential abuse and relay attacks
Defensive Guidance
Summary
Hide ▲
Show ▼
Phishing-resistant authentication is being emphasized as the control that can stop post-breach account takeover when exposed email records fuel credential stuffing, AiTM relay attacks, and help desk social engineering. Legacy push, SMS, and TOTP factors can be relayed or fatigued into approval, so they do not reliably prove the real user is present. The guidance centers on FIDO2/WebAuthn-style controls with cryptographic origin binding, hardware-bound keys, and live biometric verification so the login fails if the origin is spoofed or the authorized person is absent.
Related Happenings
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive Guidance
H score17
First: 24.06.2026 17:02
Last: 24.06.2026 17:02
Sources 1
About this happening:
**Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive GuidanceAbout this happening: **Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
CISA FortiBleed mitigation guidance
Advisory/Mitigation
H score67
First: 19.06.2026 09:47
Last: 19.06.2026 09:47
Sources 1
About this happening:
**CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
CISA FortiBleed mitigation guidance
Advisory/MitigationAbout this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
H score39
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score39
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
H score34
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Timeline
-
09.04.2026 17:02 2 articles · 3mo ago
Figure email exposure leads to phishing-resistant auth guidance
Technical Analysis UpdateA February 2026 Figure breach exposed nearly 967,200 email records and is framed as the starting point for downstream credential stuffing, targeted phishing, help desk social engineering, and adversary-in-the-middle relay attacks that can defeat push, SMS, and TOTP-based MFA. The recommended response is phishing-resistant authentication with cryptographic origin binding, hardware-bound private keys, and live biometric verification so a spoofed origin or relayed session cannot authenticate as the authorized individual.
Show sources
- When attackers already have the keys, MFA is just another door to open — www.bleepingcomputer.com — 09.04.2026 17:02
- When attackers already have the keys, MFA is just another door to open — www.bleepingcomputer.com — 09.04.2026 17:02