Mon – Fri  9AM – 5PM|Client Portal
ITstuffed
0800 487 883
Cybersecurity

Your Staff Clicked a Link. You Had MFA. You Still Got Breached. Here’s Why.

Multi-factor authentication was supposed to be the answer.

For years, the advice from every IT provider, insurer, and government agency was the same: turn on MFA and you'll stop the vast majority of attacks. And for a while, that was mostly true. Attackers moved on to easier targets.

That window has closed.

We are now working with a Christchurch healthcare practice that had MFA switched on across all their accounts. A staff member received an email, clicked a link, and within hours the breach had spread to multiple colleagues. It triggered a Privacy Commissioner notification, several days of disruption, and a very difficult conversation about their ACC contract.

Here is exactly what happened — and why MFA alone didn't stop it.

The email looked completely normal

The phishing email that started this wasn't full of spelling mistakes or Nigerian prince energy. It was a well-crafted, convincing message that looked like a routine notification from a platform the practice used. The kind of email you'd open on a busy Tuesday without a second thought.

The staff member clicked the link. It took them to a login page that looked identical to the real thing.

They entered their username and password.

Then — and this is the part that catches most people off guard — they completed the MFA prompt too.

How attackers bypass MFA in real time

What the staff member didn't know was that the fake login page wasn't just collecting their password. It was acting as a relay — passing their credentials straight through to the real service and harvesting the live session token that came back.

A session token is what keeps you logged in after you've authenticated. Once an attacker has it, they don't need your password. They don't need your MFA code. They have a live, authenticated session, and they can use it immediately — often before the legitimate user has even closed their browser tab.

This technique is called adversary-in-the-middle phishing, and it is now widely used against exactly the kinds of targets who thought MFA had them covered.

Why healthcare practices are being targeted

Healthcare practices hold some of the most sensitive personal information in existence — medical history, mental health records, ACC claim details. That data has real value. It can be used for identity fraud, insurance scams, or simply held for ransom.

Beyond the data itself, healthcare practices tend to be small enough to lack dedicated IT security resources, but large enough to hold substantial patient records and — critically — to depend on third-party contracts like ACC that create additional pressure when a breach occurs.

A practice that handles a breach badly, or that cannot demonstrate it had reasonable security controls in place, faces not just a Privacy Commissioner notification obligation but a real risk to its provider status. That is a very different kind of pressure to what most small businesses face.

What actually stops this kind of attack

When we onboarded this practice after the incident, we put in place the controls that would have broken the attack chain at multiple points:

Email filtering and anti-phishing protection would have assessed that phishing email before it reached the inbox. It would not have been delivered.

DNS filtering acts as a second line. Even if the email had arrived and been clicked, the connection to the fake login page would have been blocked before the page could load.

Identity threat detection and response (ITDR) with login monitoring watches for anomalous session behaviour — a login from an unexpected location, a session active in two places simultaneously, access patterns that don't match normal behaviour. An alert would have fired within minutes.

Endpoint detection and response (EDR) would have flagged the unusual activity on the affected device and triggered containment before the breach spread internally.

Staff security awareness training that specifically covers this technique — not just generic "don't click links" advice, but the specific mechanics of how MFA gets bypassed — changes how staff respond to login prompts that arrive unexpectedly.

No single one of these controls is sufficient on its own. That's the entire point. Layered security means an attacker has to defeat multiple independent systems, not just find one gap.

The question worth asking right now

If a staff member at your practice received a convincing email tomorrow and clicked a link — how many of those layers would catch it before it became a problem?

If you're not certain of the answer, that's worth finding out.

We offer a free 15-minute IT Fit Check for healthcare practices across Christchurch and wider NZ. No obligation, no sales pitch — just an honest conversation about where your current setup has gaps and what it would take to close them.

If this sounds familiar, let's talk →

ITstuffed is a Christchurch-based managed IT provider specialising in professional services firms, including healthcare practices. Our engineers have backgrounds in hospital and clinical environments — which shapes how we approach IT security for practices where the stakes are high.

Back to News