The Attack Dominating Financial Services Doesn't Steal Passwords. It Resets MFA and Steals the Token.

The financial sector’s cyber‑risk profile has fundamentally changed. Over the past year, threat actors have moved away from classic password‑phishing campaigns and instead weaponized the very processes designed to protect users. By impersonating IT support on Microsoft Teams, groups like Mutant Spider convince employees to reset MFA, then register their own devices, effectively nullifying the second factor. This social‑engineering playbook exploits a trust gap in help‑desk workflows, turning a defensive control into an entry point.

At the same time, a nascent market for token‑theft services is flourishing. Kali365, offered on Telegram for $250 per month up to $2,000 annually, automates the capture of Microsoft 365 OAuth refresh tokens via the device‑code flow—a legitimate authentication mechanism that bypasses MFA on the attacker’s side. The stolen tokens grant silent, long‑lived access to Outlook, Teams and OneDrive, allowing threat actors to exfiltrate data or deploy ransomware without triggering additional MFA prompts. The economics are attractive: a low subscription cost yields high‑value footholds in high‑net‑worth institutions.

Defenders must rethink budget allocations and control architectures. Out‑of‑band verification for any MFA reset request, strict conditional‑access policies that block unmanaged device‑code flows, and continuous monitoring of token usage across unfamiliar devices are essential. Moreover, security teams should augment traditional endpoint protection with identity‑focused analytics that flag anomalous token lifetimes and bulk Graph API calls. By shifting focus from merely adding MFA layers to securing the entire authentication lifecycle, financial organizations can close the gap that attackers are currently exploiting.