We’ve spent years training people to use strong passwords and enable MFA. That was the right advice. It still is. But the attack landscape has moved, and the firms that think MFA is their finish line are increasingly the ones getting compromised.

The shift is straightforward: attackers have stopped trying to crack your password and started stealing what comes after authentication. Session tokens. The small pieces of data that keep you logged into Microsoft 365, your practice management system, your document portal, and your tax software without re-entering your credentials every few minutes.

If an attacker gets a valid session token, MFA is irrelevant. The session is already authenticated. They walk in as you.

How session tokens get stolen

There are several active methods. None of them require the attacker to know your password.

Adversary-in-the-middle (AiTM) phishing. This is now the default phishing method, not the exception. Phishing-as-a-service kits like Tycoon 2FA (which accounted for 62% of phishing detected by Microsoft last year) sit between you and the real login page. You enter your credentials and complete MFA normally. The kit captures your session token in real time and hands it to the attacker. From your perspective, nothing went wrong. You logged in successfully.

Device code phishing. The FBI warned last week about Kali365, a phishing platform that abuses Microsoft’s OAuth device authorization flow. You receive what looks like a legitimate request to authorize an app. You enter a code on a real Microsoft page. The attacker gets a token that grants persistent access to your mailbox, files, and calendar. We wrote about this attack type in April when EvilTokens was the primary kit. Kali365 is the next generation: AI-generated lures, automated campaigns, real-time victim tracking.

Infostealers targeting browser sessions. The REMUS infostealer (active since February 2026) doesn’t bother with passwords at all. It targets browser session cookies and password manager extensions directly, pulling active tokens from Chrome, Edge, and Firefox. Microsoft Edge was also caught loading all saved passwords into cleartext memory at startup (disclosed and patched in May). These aren’t targeted attacks on high-value individuals. They’re mass-harvested and sold on criminal marketplaces.

OAuth consent abuse. An employee authorizes a third-party app (maybe an AI tool, maybe a productivity plugin) with their Microsoft 365 account. That app now has a persistent OAuth token granting access to email, files, or calendar data. No password needed, no MFA prompted. The Vercel breach earlier this year happened exactly this way. Push Security’s research found that ConsentFix, originally an APT29 technique, has already been commercialized on criminal forums.

Why this matters for professional services firms

Law firms and CPA practices live in their browsers. M365 is the hub for email, documents, client data, and increasingly, AI tools. A compromised session token gives an attacker the same access as the person who authenticated, which for a managing partner or senior associate means client matters, financial records, privileged communications, and trust accounting.

The pattern we described in April (most attacks start with a login, not an exploit) is still accurate. But the “login” part has evolved. Attackers aren’t trying to guess your password anymore. They’re letting you authenticate successfully and then taking the result.

What “protected” actually looks like now

MFA is still necessary. Turn it off and you’re exposed to basic credential stuffing within hours. But treating MFA as sufficient is the gap. A few things actually help:

Conditional Access policies with token protection. Microsoft’s token binding (now GA in Entra ID) ties session tokens to the specific device that created them. A stolen token can’t be replayed from a different machine. Most small firms aren’t using this yet, and it’s probably the biggest gap between “has MFA” and “actually hardened.”

Restrict device code authentication. The FBI’s specific recommendation: block or restrict the device code flow via Conditional Access unless you have a legitimate use case (conference room displays, shared kiosks). Most firms don’t. This takes about 15 minutes to configure and eliminates the entire Kali365 attack surface.

Shorter token lifetimes. Default M365 session tokens last up to 72 hours. That’s a long window for an attacker holding a stolen token. Reducing token lifetime to 8-12 hours forces more frequent re-authentication, which limits how long a compromised session remains useful.

Impossible travel and anomalous session detection. If a partner logs in from Des Moines at 9 AM and the same session token appears in Eastern Europe at 9:15 AM, that should trigger an alert and automatic session revocation. This is what identity threat detection and response (ITDR) does, and it requires someone actively monitoring your sign-in logs, not just having them turned on.

OAuth app governance. Review which third-party apps have OAuth consent grants in your tenant. Revoke anything that isn’t actively needed. Require admin approval for new OAuth grants (this is already possible in Entra but not configured in most small-firm tenants).

The gap between “we have MFA” and “we’re actually secure”

Five years ago, enabling MFA put you ahead of 90% of small professional services firms. That’s no longer true. MFA adoption is widespread enough that attackers have simply built around it. The firms getting compromised in 2026 almost all have MFA enabled. They just don’t have anything watching what happens after authentication.

If your security conversation still centers on passwords and MFA, it’s worth asking: what would happen if someone stole a valid session token from your most privileged user right now? Would anyone notice? How long would it take?

Those are worth answering before your next cyber insurance renewal asks them for you.