my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

MFA Isn't the Final Barrier Anymore. It Hasn't Been for a While.

John Z Black Apr 10, 2026 Security Operations & Resilience #mfa #phishing #aitm #fido2 #chrome-dbsc #venom-phaas #unc6783 #infostealers #identity-security

Three separate research teams published findings this week about three different attack groups. None of them set out to tell the same story. They did anyway.

The story: if your security architecture treats MFA as the final barrier, you’re already behind.

At login: Venom PhaaS, a phishing-as-a-service platform that hadn’t appeared in any threat intel database, spent four-plus months targeting senior executives across 20-plus verticals. The platform intercepts MFA codes in real time via adversary-in-the-middle, then immediately enrolls a second authenticator on the compromised account. Your original device is untouched. No visible change. The attacker now has persistent access through their own enrolled device.

The second mode is worse in a quieter way. It abuses Microsoft’s device code authorization flow to steal a refresh token that survives a password reset and keeps working until an admin manually revokes all active sessions.

At the helpdesk: Google’s Threat Intelligence Group published findings on UNC6783, a group targeting business process outsourcers and corporate helpdesks. They social-engineer support staff via live chat, spoofed Okta pages, and at some point convince someone to paste an MFA code from their clipboard. Attacker enrolls their own device. Done. This is the Scattered Spider playbook applied to the BPO supply chain. It keeps working because helpdesk staff are human.

After login: Even if you clear both those bars, infostealers steal session cookies after authentication. MFA never gets involved. Chrome 146 ships Device Bound Session Credentials (DBSC) to address this directly. Short-lived cookies, cryptographically tied to the originating device. Stolen cookie expires quickly and can’t be renewed without the private key. Google has been running DBSC on its own properties for a year and has measurable results.

Map the three: Venom bypasses MFA at login. UNC6783 bypasses it at the helpdesk. Infostealers bypass it entirely post-login. FIDO2 hardware keys address the first two. DBSC addresses the third. None of these attacks work the same way against hardware-bound authentication.

You have MFA. The question is whether you still think that’s enough.

The full breakdown of all three attack vectors and where the actual defense lives