The failure is trusting authentication outcomes without considering the human channel behind them. When an attacker is on the phone, they can coach the user through push approval, OTP entry, or recovery steps, so the login succeeds even though the session is coerced. Security teams need stronger assurance for identity actions that create persistence or privileged access.
Why This Matters for Security Teams
Vishing succeeds because it turns MFA from a technical control into a human negotiation. In SaaS environments, that matters more than many teams expect: the attacker does not need to defeat the authenticator if they can persuade the user to approve the session, reveal a code, or reset a factor. This is why guidance increasingly focuses on authenticating the action, not just the login, as reflected in the 52 NHI Breaches Analysis and the OWASP NHI Top 10.
Once an attacker gets a coerced approval, they can create persistence through new devices, session tokens, forwarding rules, OAuth grants, or admin consent flows. That means a successful MFA prompt can be the beginning of privilege escalation, not the end of the attack. Current guidance suggests treating MFA as one signal among many, especially for high-impact SaaS actions. In practice, many security teams encounter persistent access only after mailbox rules, API tokens, or delegated app grants have already been created.
How It Works in Practice
The weakness is not MFA itself, but the assumption that MFA approval always reflects informed user intent. A vishing call can create urgency, impersonate IT support, or frame a prompt as a recovery step. The user then approves a push, reads an OTP aloud, or authorizes a device enrollment. From the SaaS platform’s perspective, the authentication flow looks valid even though the human channel has been compromised.
Security teams should separate login verification from sensitive identity actions. For example, approving a sign-in is not the same as authorizing mailbox delegation, resetting a factor, or granting an OAuth application persistent access. Stronger controls include:
- phishing-resistant MFA for initial authentication, with FIDO2 or passkeys where supported
- step-up checks for recovery, device enrollment, admin consent, and token issuance
- out-of-band verification for identity changes that create persistence
- conditional access that evaluates device posture, location, and risk at request time
- alerting on unusual SaaS actions immediately after MFA success
For broader threat context, CISA cyber threat advisories repeatedly emphasise social engineering as a primary access path, while the Salesloft OAuth token breach shows how a single trusted integration can become a durable foothold after initial compromise. These controls tend to break down in environments that still allow helpdesk-led MFA resets, legacy push approvals, or broad SaaS admin rights because the attacker only needs one socially engineered exception.
Common Variations and Edge Cases
Tighter identity controls often increase user friction and helpdesk load, so organisations must balance recovery speed against abuse resistance. That tradeoff is real, especially in SaaS estates where business users expect fast self-service support.
There is no universal standard for every recovery workflow yet, but current guidance suggests treating the highest-risk paths differently from normal sign-in. Password resets, factor replacement, new device enrollment, and privileged consent should require stronger proof than a routine login. In some environments, this means helpdesk actions need their own approval chain and full audit logging; in others, it means blocking remote resets entirely for privileged accounts.
Edge cases matter. Push fatigue attacks can still work even without vishing. SMS OTP remains vulnerable to relay and interception. Break-glass accounts should not rely on the same MFA path as everyday users. And where SaaS platforms expose API tokens or delegated access, a coerced sign-in can translate into long-lived access unless token lifetime and scope are tightly constrained. The The State of Secrets in AppSec report is useful here because it highlights how long-lived credentials and weak operational discipline create persistence beyond the original compromise. For threat modelling, the Anthropic report on AI-orchestrated cyber espionage and MITRE ATLAS adversarial AI threat matrix both reinforce the broader point: attackers optimise for the human path when the technical path is hardened.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A01 | Social engineering and deceptive approvals mirror agent misuse of trusted actions. |
| CSA MAESTRO | IAM | Covers identity assurance and authorization for autonomous or delegated actions. |
| NIST AI RMF | Supports governance of risky AI-enabled social engineering and identity decisions. |
Treat identity approvals as high-risk actions and require stronger checks before granting persistence.
