Phishing in 2026: Why MFA Alone Is No Longer Enough

For roughly a decade, “turn on MFA” was the single most effective piece of cyber security advice you could give a business. It still helps. But the threat landscape in 2026 has decisively moved past most common MFA implementations — and the gap between “has MFA” and “has phishing-resistant MFA” is now where most account takeovers occur.

What changed

Three things have changed phishing in the last few years:

• Adversary-in-the-middle (AiTM) phishing kits — commercial kits like Evilginx, Tycoon, and many successors — are widely available. They proxy the real Microsoft or Google login through an attacker-controlled site, capturing the session token after a victim completes MFA.
• SMS and push-based MFA bypass. SMS is interception-prone via SIM-swap. Push-approval MFA is bypassable via push fatigue or social-engineering pretexts, particularly during incident-response stress.
• AI-generated phishing. Generative AI removes the historic indicators of phishing — bad grammar, awkward phrasing, generic targeting. Personalised, context-aware lures are now produced at scale.

What phishing-resistant MFA means

Phishing-resistant authentication means the credential cannot be replayed by an adversary even if the user is convinced to use it on a malicious site. In practice, in 2026, that means:

• FIDO2 / WebAuthn hardware keys (e.g. YubiKeys).
• Passkeys, where properly bound to the device and origin.
• Windows Hello for Business, when correctly configured with TPM-backed credentials.
• Smart cards, in environments still using them.

What does not qualify: SMS, time-based codes, push approval, voice call, or one-time codes from authenticator apps. These remain better than nothing, but they are no longer adequate for accounts that matter.

What to do, in priority order

1. Move all privileged accounts to phishing-resistant MFA immediately. Domain admins, cloud platform admins, finance approval roles, executive accounts. Hardware keys are the simplest path.
2. Roll out passkeys for general workforce as a second wave. Microsoft, Google, and Apple have all stabilised passkey support across their primary platforms.
3. Configure conditional access to require phishing-resistant authentication for high-risk operations (administrative actions, sensitive data access, finance functions).
4. Block legacy authentication. Most AiTM and credential-stuffing attacks rely on legacy auth pathways being available. Disable them.
5. Phish your own people. Regular, calibrated phishing simulation programmes — not punitive, focused on training — remain among the most cost-effective controls.

What we are seeing in incident response

The pattern in incidents we have responded to in the last 12 months is consistent: an executive or finance staff member is targeted with a personalised AiTM lure; they complete MFA on the malicious site; the attacker captures the session and operates from inside the tenant for hours or days; financial fraud (BEC) or data exfiltration follows. None of this is exotic. None of it is solvable with awareness training alone.

The good news is that the controls that defeat it are mature, available, and largely already paid for in your existing Microsoft or Google licensing. The investment is configuration discipline, hardware key procurement, and a deliberate rollout.

If you would like an assessment of your current MFA posture and a phased plan to phishing-resistant authentication, we can help.