By Jaspreet Singh, CISM
Founder, Accelerate IT Services (AITS)
For years, business leaders have viewed Multi-Factor Authentication (MFA) as a comprehensive cybersecurity solution. Many assumed that requiring employees to approve access on their phones was sufficient protection.
We were wrong.
In our recent security lab at f11.ca (EID-EXP-017), we demonstrated that modern attackers can bypass standard MFA in less than 60 seconds. Instead of stealing passwords, they are capturing session tokens.
The "Golden Ticket" Attack: What is Session Hijacking?
In Lab EID-EXP-017, we used an Adversary-in-the-Middle (AiTM) framework to intercept communication between a user and their Microsoft 365 login.
When an employee enters their credentials and approves the MFA prompt, they believe they are communicating with Microsoft. In fact, they are interacting with a proxy controlled by an attacker, who intercepts the session token—the digital "cookie" that confirms authentication to Microsoft.
As a result, the attacker uses the intercepted token to access the executive's inbox directly, without needing a password or triggering an MFA prompt.
The Business Impact: Beyond the Technical Breach
When a session is hijacked, attackers do not simply observe; they seek financial gain. For business leaders, this can result in three major risks:
1. Business Email Compromise (BEC) & Wire Fraud
Once inside an executive’s inbox, the attacker may spend days silently monitoring communications. They identify vendors, invoice formats, and upcoming payments, then use the compromised account to send a "Change of Banking Details" email to clients. Cost: Average BEC losses in 2025/2026 often exceed $50,000 to $100,000 per incident. (FBI’s IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in Last Three Years, 2025)
2. Data Exfiltration & Extortion
With a valid session token, the attacker gains the same permissions as the employee. They can download the entire SharePoint library, client lists, and intellectual property without triggering any failed login alerts.
3. Cyber Insurance Denials
This is the current reality in 2026. Insurance providers are increasingly technical. If your policy requires "Modern MFA" and a breach occurs through a legacy push-notification system considered vulnerable, your claim may be denied for not maintaining industry-standard controls. (Schomaker, 2026)
The Hidden Costs of Recovery
A breach discovered after 30 days is significantly more costly than one detected in real time. (Institute, n.d.)
- Forensics: Hiring specialists to find out what was stolen.
- Legal & Notification: Meeting privacy breach requirements in Saskatchewan and BC.
- Reputation: The loss of trust that occurs when clients are informed their payment was sent to a fraudulent account.
The Solution: Moving to Phishing-Resistant Identity
The key lesson from Lab EID-EXP-017 is that convenience can undermine security. To protect your business, transition from push-based MFA to phishing-resistant MFA.
This includes:
FIDO2 Security Keys: Physical keys that cannot be proxied by an attacker.
Windows Hello for Business: Using biometrics tied directly to a trusted device.
Strict Conditional Access: Allowing only managed devices to access corporate data.
Is Your Business Vulnerable?
At Accelerate IT Services (AITS), we go beyond basic compliance. We audit your identity perimeter to determine if it can withstand the real-world attacks demonstrated in our labs.
Do not wait for a costly breach. If you are an IT leader or business owner in Regina or Vancouver, contact us today for an Identity Security Audit. Let’s ensure your MFA provides robust protection.
References
(April 23, 2025). FBI’s IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in Last Three Years. Nacha. https://www.nacha.org/news/fbis-ic3-finds-almost-85-billion-lost-business-email-compromise-last-three-years
Schomaker, L. (January 20, 2026). 82% of Cyber Insurance Denied Claims Had One Thing in Common. IntelTech. https://www.inteltech.com/82-of-cyber-insurance-denied-claims-had-one-thing-in-common/
Institute, P. (n.d.). IBM Cost of a Data Breach 2025 Report. https://www.ibm.com/security/data-breach