Why MFA Is Not Enough for SMBs in 2026

-

How phishing, session theft, and AI voice scams still break in

For years, small and midsize businesses were told a simple story: turn on multi-factor authentication, and you will be far safer.

That advice was not wrong. It is still essential. But in 2026, it is no longer sufficient on its own.

Attackers have adapted. They no longer focus only on stealing passwords. They increasingly target the layer after password entry: session cookies, MFA prompts, device trust, help-desk workflows, and human verification habits. The result is a more dangerous reality for SMBs. A company can deploy MFA and still be vulnerable to adversary-in-the-middle phishing, session hijacking, push fatigue, social engineering, and AI-enhanced impersonation.

This is not theory. In January 2026, Microsoft said it had blocked more than 13 million malicious emails linked to Tycoon2FA in October 2025 alone. In March 2026, Microsoft said that by mid-2025 Tycoon2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. Microsoft also linked the service to approximately 96,000 phishing victims worldwide since 2023, including more than 55,000 Microsoft customers. Microsoft Security Blog | Microsoft On the Issues

That should change the conversation for every SMB leader. The question is no longer whether MFA matters. It does. The question is whether your organization understands the newer ways attackers get around it.

The myth that MFA solved identity risk

MFA remains one of the most important controls any business can deploy. It raises the cost of compromise and blocks a large amount of commodity credential abuse. But too many organizations stop there. They assume that once a second factor is enabled, the identity problem is effectively solved.

That is the dangerous myth.

Modern phishing kits do not just collect usernames and passwords. Many are designed to intercept authentication flows in real time, relay the victim to the legitimate service, and capture the authenticated session. In practical terms, that means the attacker may not need the password after all. They may only need the session that comes after the login succeeds.

Microsoft’s March 2026 analysis of Tycoon2FA describes exactly this kind of large-scale adversary-in-the-middle phishing infrastructure. The service was engineered to evade detection, route traffic dynamically, and help criminals steal authenticated sessions at scale. Microsoft Security Blog

For SMBs, that distinction matters. Many security discussions still sound like they are about 2019. Attackers in 2026 are operating with better kits, cleaner infrastructure, faster adaptation, and more convincing lures.

How attackers still get in after MFA

The first common path is adversary-in-the-middle phishing. A user clicks what appears to be a Microsoft 365 or Google login page, enters credentials, completes MFA, and believes everything is normal. But the attacker’s infrastructure is sitting in the middle, relaying traffic and capturing the resulting authenticated session. The business says, “We had MFA.” The attacker says, “Thank you.”

The second path is MFA fatigue and prompt abuse. If users are conditioned to approve prompts quickly, attackers can exploit that habit. SMBs with lean IT support and high productivity pressure are especially vulnerable to this kind of behavioral weakness.

The third path is social engineering of trust workflows. Help-desk impersonation, vendor impersonation, and urgent executive requests remain effective because people are busy, not because they are foolish. In March 2026, Microsoft warned that threat actors are operationalizing AI, including voice cloning for vishing and business email compromise scams. Microsoft Security Blog

That is the real shift. AI does not need to invent entirely new scams to be dangerous. It only needs to make old scams faster, cheaper, and more believable.

Why SMBs are especially exposed

Large enterprises may have identity teams, formal conditional access programs, and dedicated monitoring for session anomalies. Most SMBs do not. They run lean. The same cloud tenant may contain executive email, finance workflows, shared files, client communications, and administrative privilege. A single compromised session can carry far more operational value when controls are flatter and oversight is lighter.

Many SMBs also still rely on weaker MFA methods, especially SMS or simple push approvals. Those methods are better than no MFA, but they are not the same as phishing-resistant MFA. Microsoft’s official guidance specifically recommends requiring phishing-resistant MFA for highly privileged roles through Conditional Access. Microsoft Learn

The phrase “phishing-resistant” is becoming one of the most important distinctions in identity security. It means authentication methods that are materially harder to relay or socially engineer, such as hardware security keys, strong platform-based authentication, or other controls designed to resist credential phishing and session abuse.

What “better than MFA alone” looks like

The right response is not to dismiss MFA. It is to build around it.

That means moving from a checkbox mentality to an identity-defense model. Stronger methods, device awareness, access conditions, and verification discipline all matter. A business that has enabled MFA everywhere but left admin accounts overexposed, email unmonitored, and approvals easy to manipulate is more protected than it was before, but not protected enough for the current threat environment.

Identity hardening at a glance

Control area What weaker SMBs do What stronger SMBs do Why it matters
MFA method SMS codes or simple push approvals everywhere Phishing-resistant MFA for admins and sensitive roles Not all MFA methods provide equal resistance to modern phishing.
Admin protection Admins use the same accounts for daily work and privileged tasks Separate admin accounts with tighter controls and stronger authentication Administrative sessions are high-value targets.
Conditional access Login allowed from almost anywhere without context Access based on device trust, risk, role, and context Reduces the value of stolen sessions and suspicious sign-ins.
Email and domain trust Basic protection, weak spoofing defenses, limited monitoring Stronger email security, domain protection, impersonation awareness Email and phishing remain among the most common intrusion paths.
User verification habits Urgent approvals happen without second checks High-friction verification for sensitive requests Human trust remains a primary target of modern attacks.

The four places SMBs should strengthen now

1. Upgrade the most important MFA first

Start where compromise would hurt most: administrators, finance, executives, email administrators, backup administrators, and anyone with broad access to cloud platforms. These accounts should not rely on the weakest available authentication method simply because it is convenient. If you cannot upgrade the whole environment immediately, upgrade the highest-impact roles first.

This is also where the distinction between “MFA deployed” and “MFA deployed well” becomes real. A tenant with universal SMS MFA is not in the same place as a tenant that uses phishing-resistant methods for privileged access.

2. Treat email and identity as one attack surface

Too many SMBs still separate email security from identity security operationally, even though attackers do not. The phishing email is the front door. The stolen session is the hallway. The cloud account is the office. For the attacker, it is one path.

That means the business should think in the same integrated way. Watch for suspicious sign-ins, impossible travel, abnormal mailbox activity, unexpected forwarding rules, and executive impersonation attempts. Strengthen domain protections. Review who can create inbox rules, grant app consent, or reset authentication factors.

3. Make approval culture harder to exploit

Identity defense is not just about technology. It is also about what the organization normalizes. If employees are trained to approve prompts quickly, respond to urgency reflexively, and trust familiar names without verification, the technical controls are supporting a fragile human process.

AI makes this worse not because every scam is suddenly brilliant, but because impersonation becomes easier to scale. A fake voicemail that sounds close enough to a real executive can push an already-busy employee toward the wrong decision. A polished phishing page reduces hesitation. A believable text message at the right moment gets the click.

The answer is not paranoia. It is disciplined verification for sensitive actions. High-risk requests should have a second channel, a known callback path, or a policy-backed pause.

4. Protect the session, not just the login

This is where many SMB defenses are still immature. They focus heavily on getting the user through the front gate safely but spend less time considering what happens once a session exists. That is exactly where adversary-in-the-middle phishing becomes dangerous.

Device trust, access policies, session controls, and anomaly detection all help reduce the usefulness of a stolen authenticated session. Even if an attacker gets farther than expected, the goal is to make that session less portable, less durable, and less valuable.

The practical SMB question

The practical question for an SMB is not whether MFA works. It does.

The practical question is this:

If an attacker stole a valid authenticated session tomorrow, how much damage could they do before your business noticed and responded?

That question is harder, better, and more honest than asking whether MFA is turned on.

What leadership should do this quarter

Review which accounts hold the most privilege and whether they use phishing-resistant authentication. Tighten approval processes for finance, identity changes, and urgent requests from leadership. Review sign-in and mailbox anomalies. Reduce shared or over-broad administrative access. Confirm that email security, identity controls, and user training are working together rather than in isolation.

And most importantly, stop treating MFA as the end of the identity conversation. In 2026, it is the beginning.

Why this matters now

The old attacker playbook depended heavily on password theft. The new one still uses passwords, but it increasingly aims beyond them. Phishing infrastructure is better. Session theft is more industrialized. Social engineering is becoming more believable. AI is making trust easier to manipulate. That is why so many organizations that believed they were “past the basics” are finding that the basics have changed.

MFA is still essential.

It is just no longer the whole answer.

How Veriti Spottr helps

Veriti Spottr helps SMBs identify external exposure, prioritize risk, and understand where attackers may have an easier path than leadership realizes. In a world of phishing infrastructure, spoofed domains, exposed services, and increasingly persuasive identity attacks, visibility matters.

If your business wants to strengthen identity security in a practical way, begin with what is visible, what is privileged, and what can be socially manipulated under pressure. That is where modern attacks still find their opening.

Because in 2026, “we have MFA” is a start.
It is not a strategy.

→ Visit Veriti Spottr to learn more

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more