When MFA Isn't Enough: The Phishing Attack That Steals Your Login After You've Already Signed In
Your staff member clicks a link, enters their credentials, approves the MFA prompt, and gets back to work. Somewhere else, an attacker has just walked into that same account. No alarm went off. No login failed. The session logs look completely normal.
This is how Adversary-in-the-Middle phishing works, and it is one of the more unsettling developments in cybersecurity for small professional services businesses right now. It does not steal passwords. It does not fail at the MFA prompt. It waits until the user has successfully logged in, then takes the authentication token that proves the login happened. At that point, whoever holds that token holds the account - no password, no MFA challenge required.
Multi-factor authentication is still essential. Any healthcare practice or law firm without it is carrying unnecessary risk. But MFA was designed to protect the moment of login. It was never designed to protect what comes after. Once a user completes authentication, the application issues a session cookie and trusts it from that point forward. An attacker who intercepts that cookie can import it into their own browser and pick up the session exactly where the legitimate user left off, inside a fully verified, fully trusted account.
The fake login page that makes this possible is not a rough copy of a Microsoft or Google login screen. It is a live proxy. The attacker's system sits between your staff member and the real service, passing everything through in real time. The page looks right, behaves correctly, and the MFA prompt works because it is real. The only giveaway is usually a slightly off URL, which is easy to miss on a phone screen or when someone is working quickly. Ready-made toolkits sold through criminal platforms have made this type of attack accessible to attackers with very little technical skill, and Microsoft has tracked a sharp increase in campaigns targeting Microsoft 365 accounts specifically.
What makes these attacks particularly damaging is how quietly the follow-on activity happens. Once inside, attackers commonly create hidden email rules to redirect messages, register additional MFA methods to maintain access, and monitor inboxes for financial conversations. By the time anything surfaces - a misdirected payment, a suspicious email to a client, an unusual account change - the attacker may have been present for days or weeks. Understanding the steps that reduce your exposure to a data breach is a useful starting point for thinking about what controls sit beyond login protection.
Reducing this risk means building controls that extend beyond the login screen. Phishing-resistant authentication methods, such as hardware security keys or passkeys, bind the login to the real domain and the specific device. A proxy sitting in the middle cannot relay them - the authentication simply fails if the URL is not the legitimate one. Combined with conditional access policies that assess ongoing session behaviour rather than just the initial login, and active monitoring for post-login anomalies like new MFA registrations or inbox rules created outside business hours, the exposure shrinks considerably. This is exactly the kind of layered identity security that IT support for professional services firms is designed to put in place and keep current.
When faced with a cyber-attack a year ago we greatly appreciated the immediate and ongoing support we received from IT Stuffed. Our organisation engaged IT Stuffed a bit over a year ago and we have been very happy with their services to date. We value them being a local small business and appreciate their friendly yet professional interactions. They do not fluster easily and that has a calming effect on people with IT challenges. Happy to recommend this service.
Maggy Tai Rākena
IT Stuffed ran a full systems cyber security audit for us, which was very eye-opening! They helped us implement the necessary changes and gave us some strategic advice on future steps. Daniel and the team are incredibly dedicated, great communicators and a real pleasure to deal with.
Ruby Williams
Our medium sized business changed IT providers to IT Stuffed six months ago and the service has been excellent. We are making good progress to strengthening our IT infrastrucute and we have more confidence that our data and business security is improving.
Demelza Pearey
Staff awareness matters too. An employee who understands that a working MFA prompt on an unfamiliar page is still a warning sign is more likely to pause and check the URL before completing the login. That instinct is worth building deliberately, not leaving to chance. AI-powered phishing attacks on business email accounts are making it harder than ever for staff to tell a genuine login page from a convincing fake.
For most Canterbury healthcare and legal businesses, the honest question is whether identity and session security has kept pace with how these attacks have evolved. The cyber security section of the ITstuffed site covers the broader controls that sit alongside MFA. For a practical review of where your current setup has gaps, ITstuffed offers a 15-minute IT Fit Check at itstuffed.co.nz/booking.