Why MFA Alone Won't Keep Your Accounts Safe

You turned on multi-factor authentication. Your team gets the prompts, they tap approve, and you feel reasonably confident your accounts are protected. That confidence is mostly justified - but there is a gap most businesses have not thought about, and attackers are walking through it regularly.

MFA secures the login. It does not secure what happens after the login. Once you have signed in, your browser holds a small piece of data - a session token - that proves you are already authenticated. Think of it like a wristband at an event. The person on the door checked you in, but if someone steals your wristband later, they can walk straight past the door without being checked at all. That is session cookie hijacking in plain terms. The attacker is not cracking your MFA. They are skipping it entirely by reusing the proof that you already completed it.

This attack method has become more common because it scales well. One documented campaign targeted more than 10,000 organisations using what is called adversary-in-the-middle phishing - where a lookalike login page sits between the user and the real service, capturing both the password and the session token in real time. Everything appears to work normally. The MFA prompt fires, the user approves it, and the attacker walks away with the authenticated session. Microsoft has described this approach specifically and noted it is not a vulnerability in MFA itself. The MFA worked exactly as designed. The attacker just arrived after it was done.

Session tokens can also be stolen directly from a device if it has been compromised by malware. Once those tokens are extracted, they function like a copied key - the attacker can access the same applications and data as the legitimate user, without needing to log in again. For a law firm or healthcare practice holding sensitive client or patient records, that access could be significant before anyone notices anything is wrong. If you are unsure whether your devices are already at risk, it is worth understanding the signs that business devices carry hidden malware.

What good security looks like in this area is not more complicated than MFA - it is more complete. Phishing-resistant authentication methods make the proxy login trap much harder to pull off. Keeping devices clean and well-managed reduces the risk of token theft from the endpoint itself. Tighter session controls on high-risk applications mean stolen tokens expire faster or trigger re-authentication. And monitoring that watches for unusual access patterns - a session appearing from an unexpected location or device - can catch a replay before real damage is done. These controls work together. None of them alone is the answer, but layered they close the gap that MFA on its own leaves open. For a broader view of the controls that matter most, what cyber hygiene actually requires in 2025 is a useful reference point.

If your practice relies on MFA as the main line of defence for cloud applications, it is worth knowing whether the rest of those controls are actually in place. Most small professional services businesses have MFA switched on but have not thought through the session security layer around it. An IT support provider who understands this space can review your setup and tell you where you actually stand. For specific guidance on protecting against phishing and account compromise, the CERT NZ website is a practical NZ-specific resource worth bookmarking.

ITstuffed works with professional services businesses across Canterbury. If you want a quick read on your current security setup, book a free 15-minute IT Fit Check and we can tell you whether your session security matches the strength of your login controls.