By the Numbers: The 2026 Identity Attack Surface
8.6 billion stolen session cookies and authentication artifacts recaptured in a single year (SpyCloud 2026 Annual Identity Exposure Report).
146% year-over-year increase in adversary-in-the-middle (AiTM) phishing attacks, with an estimated 40,000 AiTM incidents observed daily (Obsidian Security / Microsoft trend reporting, 2026).
1.8 billion credentials stolen in the first half of 2025 alone — an 800% increase over the prior half (Flare 2026 State of Enterprise Infostealer Exposure).
16% of infostealer infections now expose enterprise SSO credentials — up from 6% in early 2024 (Flare 2026).
The MFA Illusion
For most of the last decade, “we have MFA” was an acceptable answer to the question “how do you protect your accounts?” Regulators encouraged it. Cyber-insurance carriers demanded it. Security frameworks built around it. And for a while, it worked: MFA blocked the overwhelming majority of account-takeover attempts that relied on password spraying and credential stuffing.
That era is over. In 2026, the most successful identity attacks don’t try to defeat MFA at all. They sidestep it — stealing the authenticated session after the user has already completed the second factor. The attacker never sees your password. Never triggers your push approval. Never trips a “suspicious login” rule. They just load your session cookie into their browser and walk in as you.
SpyCloud’s 2026 Annual Identity Exposure Report quantifies the scale: researchers recaptured 8.6 billion stolen session cookies and authentication artifacts in one year, against a backdrop of 65.7 billion distinct identity records now circulating in criminal markets — a 23% year-over-year increase. For SMBs that believe MFA is the finish line, these numbers should be a wake-up call.
How Attackers Bypass MFA in 2026
Three techniques account for the overwhelming majority of modern MFA bypasses. All three end with the attacker holding a valid session for a real user — at which point MFA becomes irrelevant, because the authentication already happened.
1. Adversary-in-the-Middle (AiTM) Phishing Kits
AiTM phishing is the dominant MFA-bypass technique of 2026. Instead of a crude credential-harvesting page, the attacker deploys a reverse proxy that sits between the victim and the real login portal (typically Microsoft 365, Google Workspace, or Okta). The victim sees a pixel-perfect copy of the real sign-in page because they are looking at the real sign-in page — proxied through the attacker’s server.
When the victim enters their password, the proxy relays it to Microsoft. When Microsoft returns an MFA challenge, the proxy relays that too. When the victim approves the push or types the code, the proxy captures the session cookie that Microsoft issues in response. That cookie is what authenticated browsers present to say “I’m already logged in” — and the attacker now has a copy.
Commercial phishing-as-a-service (PhaaS) kits have industrialized this technique. Evilginx, Tycoon 2FA, and EvilProxy have been documented in live campaigns for years. In March 2026, Sekoia Threat Detection & Research disclosed a new kit dubbed EvilTokens, active since mid-February 2026, that goes a step further: it captures not only session cookies but OAuth access and refresh tokens, giving attackers persistence that survives password resets and cookie expiration.
Trend data from Obsidian Security and Microsoft puts the scale at roughly 40,000 AiTM incidents per day, with a 146% year-over-year increase in observed AiTM campaigns.
2. Infostealer Malware and Session Theft
You don’t need to phish someone if malware on their laptop will hand you their sessions wholesale. That is the premise of the modern infostealer economy.
Infostealers are lightweight pieces of malware designed to run once, silently, and ship everything of value back to the attacker: saved browser passwords, session cookies for every site the user was logged into, crypto-wallet files, SSH keys, VPN configs, and increasingly — enterprise SSO artifacts. Flare’s 2026 report found that 16% of infostealer infections now expose enterprise SSO credentials, up from 6% in early 2024, reflecting both the shift to cloud-first work and attackers’ deliberate focus on corporate identity.
The scale is staggering. SpyCloud recaptured 642.4 million credentials from 13.2 million infostealer infections in 2025 — roughly 50 credentials per infected host. Flare recorded 1.8 billion credentials stolen in the first half of 2025 alone, an 800% increase over the prior half. Microsoft’s threat-intelligence team attributes the majority of infections to three families: Lumma, StealC, and RedLine, which together represent over 75% of infostealer activity. Lumma in particular has been documented targeting Microsoft 365, Google, Okta, and AWS SSO sessions. These are sold as malware-as-a-service from as little as $250 per month — a price point that guarantees a constant stream of new operators.
Once stolen, an enterprise SSO cookie doesn’t need to be cracked. The attacker loads it into a browser and is inside your tenant, as the user, with whatever roles that user holds.
3. OAuth Refresh Token Persistence
The third vector is quieter and longer-lived. When a user consents to a cloud application — even a malicious one disguised as “Adobe Acrobat Updater” or a fake internal tool — the identity provider issues an OAuth refresh token. That token can generate new access tokens for weeks or months without any further user interaction and without triggering MFA.
The EvilTokens kit documented by Sekoia in March 2026 specifically harvests these tokens, and SpyCloud’s 2026 report tracked 18.1 million exposed API keys and tokens in 2025. Unlike a stolen password, a leaked refresh token survives password changes. Unlike a session cookie, it doesn’t expire at the end of the browser session. Until someone explicitly revokes the grant, the attacker has a quiet, durable foothold that most SMBs don’t monitor and don’t know how to audit.
Case in Point: Recent Campaigns
Microsoft: Multi-Stage AiTM + BEC + SharePoint (January 2026)
What happened: On January 21, 2026, Microsoft’s Security team published details of a multi-stage campaign against energy-sector targets. Attackers used AiTM phishing to capture session cookies, used those sessions to access Microsoft 365 mailboxes, staged follow-on business email compromise (BEC) messages from the compromised accounts, and weaponized trusted SharePoint links to distribute the next round of AiTM lures inside the target’s ecosystem of partners and customers.
Why it matters: Every link in the chain used legitimate, authenticated infrastructure. There was no “suspicious attachment” for an email gateway to block. The SharePoint links were real SharePoint links, hosted by a real tenant, sent by a real user — who happened to have been compromised three days earlier.
Sekoia: EvilTokens PhaaS Discovery (March 2026)
What happened: Sekoia Threat Detection & Research published analysis of a new phishing-as-a-service platform called EvilTokens, which had been active since mid-February 2026. Unlike earlier AiTM kits focused on cookie capture, EvilTokens is built to harvest OAuth access and refresh tokens from Microsoft 365 victims — giving buyers of the service long-lived, MFA-free access to compromised tenants.
Why it matters: The commercialization of token theft lowers the barrier to long-term persistence. An attacker who previously had to re-phish a victim every time a session expired can now maintain access for weeks without the victim ever seeing another login prompt.
What This Means for SMBs
If you run a law firm, CPA practice, medical clinic, or any SMB on Microsoft 365 or Google Workspace, three things should change in how you think about identity security.
First, MFA is the floor, not the ceiling. Every account-takeover detection pattern that relied on “did MFA fire?” is now blind to the dominant attack technique. MFA is still necessary — an attacker without a foothold will still be stopped by it — but it is not sufficient.
Second, the attack pattern chains into every other threat you already face. A stolen session is the first step in the business email compromise playbook: attackers log in, create hidden inbox rules to hide their activity, and wait for the first wire-transfer or invoice email to hijack. It’s also how the AI-crafted phishing messages we’ve written about get sent from real, trusted internal accounts instead of spoofed domains — because the attacker is logged in as the real user.
Third, detection has to move beyond the login. By the time an attacker is using a stolen session, they are past every preventive control you have. The only remaining opportunity is to recognize that the behavior inside the session is wrong — new country, new device, new inbox rule, new OAuth grant, unusual mailbox access, mass download of SharePoint files. That recognition is what post-authentication monitoring does, and it is where most SMB security programs have the biggest gap.
What Actually Stops These Attacks
Layered Defenses Against Session Hijacking
1. Deploy phishing-resistant MFA (FIDO2 / passkeys). Hardware security keys and platform passkeys bind authentication to the legitimate domain. An Evilginx reverse proxy can’t relay a WebAuthn challenge because the browser refuses to sign one for the wrong origin. This single change kills most AiTM attacks outright — prioritize it for admins first, then all users.
2. Enforce Conditional Access and device trust. Require compliant, managed devices for access to email and SharePoint. A stolen cookie loaded into an attacker’s unmanaged laptop fails the device-trust check even if the session itself is valid.
3. Shorten token lifetimes and turn on continuous access evaluation. Default token lifetimes favor convenience. For privileged accounts, shorten them. Enable continuous access evaluation (CAE) in Microsoft 365 so that risk signals — password change, user disable, risky sign-in — invalidate active sessions in near-real-time rather than at token expiry.
4. Audit and restrict OAuth app consents. Require admin approval for new third-party app grants. Review existing consents quarterly. Revoke any grant you don’t recognize. This closes the refresh-token persistence door.
5. Deploy 24/7 post-authentication monitoring (MDR). This is the control that detects the attacker who has already cleared steps 1 through 4 because an endpoint was infected. MDR watches for the behaviors that only make sense if the session has been stolen: impossible travel, new inbox forwarding rules, anomalous OAuth consents, unusual mailbox search queries, session replay from new IP ranges, and mass access to SharePoint or OneDrive. These are the detections that catch BEC before the wire goes out and catch tenant takeover before the attacker pivots to data theft.
The pattern is the same one we see across every serious identity incident: preventive controls reduce the volume of attacks, but they do not reach zero. Detection and response is what turns a compromised session into a contained incident instead of a six-figure wire-fraud loss or a HIPAA-reportable breach.
The Bottom Line
MFA stops attackers who don’t have your session. In 2026, the attackers who matter already do. Between AiTM phishing kits, infostealer malware, and OAuth token theft, adversaries have industrialized the bypass of every MFA method most SMBs rely on. The organizations that come through this wave intact are the ones that assume the session will be stolen — and invest in detecting what happens next.
MFA alone isn’t a security program.
Our MDR service provides 24/7 post-authentication monitoring for Microsoft 365 and Google Workspace — catching the impossible-travel sign-ins, hidden inbox rules, rogue OAuth grants, and session anomalies that only appear after an attacker has already bypassed MFA.
Book a Free Consultation