Notifications
Clear all
Topic starter
06/06/2026 11:11 am
TL;DR: AI-powered phishing in 2026 is shifting from password theft to real-time session hijacking, with AiTM proxying, MFA fatigue, fallback abuse, and consent phishing weakening controls that were tuned for automated attacks, according to WorkOS and cited incident data. MFA still matters, but authentication alone no longer closes the gap between login success and session compromise.
NHIMG editorial — based on content published by WorkOS: How attackers are bypassing MFA using AI in 2026
By the numbers:
- 2024 involved MFA weaknesses., ncidents Cisco Talos responded to in early 2024 involved MFA weaknesses.
- By mid-2025, Tycoon 2FA accounted for roughly 62% of the phishing volume Microsoft blocked.
- Research shows that 60% of recipients fall for AI-generated phishing emails.
Questions worth separating out
Q: How should security teams reduce MFA bypass risk in phishing attacks?
A: Teams should treat MFA as a baseline, not a finish line.
Q: Why do fallback authentication methods create so much risk after passkey rollout?
A: Fallback methods create risk because attackers target the weakest available route, not the strongest one.
Q: What breaks when organisations ignore session security after MFA?
A: What breaks is the assumption that a successful login equals a secure session.
Practitioner guidance
- Harden the post-login trust boundary Add device binding, token lifetime limits, and anomaly checks for session replay so a successful MFA event does not become a standing pass to SaaS access.
- Remove weak fallback routes Disable SMS, push approval, and weak reset paths once phishing-resistant methods are rolled out, especially for admin, finance, and support accounts.
- Govern OAuth consent as privileged access Inventory user-granted applications, restrict high-risk consent, and require review for apps that hold broad scopes or long-lived refresh tokens.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- The specific examples of AiTM, vishing, and MFA fatigue techniques described in the article.
- The defensive checklist for deploying FIDO2, passkeys, and session-layer monitoring in parallel.
- The article's discussion of OAuth consent abuse and why authorization governance must sit alongside authentication.
- The source's examples of fallback removal and token-lifetime reduction decisions.
👉 Read WorkOS's analysis of AI phishing, MFA bypass, and session theft →
AI phishing and MFA bypass: are your controls keeping up?
Explore further
06/06/2026 11:50 am
MFA has been over-scoped as an authentication control when the real failure is session governance. The article shows that attackers are no longer trying to beat the login challenge alone. They are stealing the authenticated session, which means the operational boundary has moved from authentication to post-authentication assurance. Security programmes that still treat MFA success as equivalent to trust completion are managing the wrong control plane.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- That same research found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting partial visibility.
A question worth separating out:
Q: Who is accountable when OAuth consent grants outlive authentication?
A: The accountable owners are the IAM, app governance, and security teams together, because OAuth consent is an authorization control, not a login control. If users can grant broad app access without review, the risk persists after password resets and MFA changes. Governance must cover who can consent, which scopes are allowed, and how tokens are revoked.
👉 Read our full editorial: AI phishing is bypassing MFA through session theft and fallback abuse
