Notifications
Clear all
Topic starter
27/06/2026 1:51 pm
TL;DR: Token theft accounted for 31% of MFA bypass attacks in the 2025 Verizon DBIR, while phishing-as-a-service and deepfake voice cloning let low-skilled attackers evade rule-based checks and nearly trigger $240K in fraud, according to Abnormal AI. The real security gap is not authentication alone, but whether programs can distinguish normal from abnormal behavior across identity and SaaS activity.
NHIMG editorial — based on content published by Abnormal AI: Key Insights on MFA bypass, phishing-as-a-service, and behavioural AI detection
By the numbers:
- 31% of MFA bypass attacks in the 2025 Verizon DBIR relied on token theft, making session hijacking the top MFA evasion technique.
Questions worth separating out
Q: How should security teams respond when attackers steal a valid session instead of a password?
A: They should treat the session as compromised, not just the password.
Q: Why do rule-based controls fail against phishing-as-a-service and deepfakes?
A: Rule-based controls fail because these attacks borrow trusted infrastructure, familiar sender patterns, and convincing human signals.
Q: What should organisations measure to know whether behavioural detection is working?
A: They should measure whether the platform flags abnormal sequences across email, identity, and SaaS activity before the attacker completes a fraudulent action.
Practitioner guidance
- Treat session theft as a primary access pathway Instrument detection for token replay, cookie theft, and unusual session reuse across identity and SaaS logs.
- Reduce trust in human-verification workflows Require additional verification for payment changes, vendor updates, and other high-risk requests when the request path includes a compromised account, a lookalike domain, or a voice-based confirmation.
- Detect legitimate tools used for malicious control Flag remote-access software, cloud collaboration services, and OAuth-connected apps when their behaviour diverges from the normal role, frequency, or geography of the account using them.
What's in the full article
Abnormal AI's full analysis covers the operational detail this post intentionally leaves for the source:
- Breakdown of the specific phishing-as-a-service and adversary-in-the-middle techniques used to capture sessions and bypass MFA
- Examples of how ScreenConnect, SharePoint, and OAuth abuse blend into normal enterprise traffic
- Details of the deepfake fraud workflow, including the phone-verification bypass path and the behavioural AI signals that exposed it
- Context on how Abnormal maps its detection approach across email, identity, and SaaS activity
👉 Read Abnormal AI's analysis of MFA bypass, PhaaS, and deepfake fraud →
MFA bypass, token theft, and deepfakes: are controls keeping up?
Explore further
27/06/2026 3:21 pm
Session trust debt is now a governance problem, not just a detection problem: Identity programmes still assume that a successful authentication event buys a period of trustworthy behaviour. That assumption breaks when attackers steal sessions, use real tools, and inherit the legitimacy of normal workflows. The implication is that access assurance has to extend beyond the login checkpoint and into the behaviour of the session itself.
Session trust debt: organisations are still over-investing in front-door authentication while attackers operate inside valid sessions. The programme shift is toward continuous evaluation of identity behaviour, because a login event no longer proves the current actor is trustworthy.
A question worth separating out:
Q: How do IAM and security teams balance MFA with behavioural controls?
A: MFA should remain a baseline control, but it must be paired with session monitoring, anomaly detection, and stronger verification for high-risk actions. The right comparison is not MFA versus behaviour analytics. The practical answer is layered trust, where authentication, session quality, and post-login behaviour are all evaluated together.
👉 Read our full editorial: Behavioral AI exposes where MFA and rule-based controls fail
