Attack Trends Targeting Multi-Factor Authentication in 2025
In 2025, attackers adapted their strategies to exploit weaknesses in multi-factor authentication workflows and compromised credentials, according to research insights presented. The study highlights the evolving nature of phishing attacks, which increasingly leveraged the trust associated with initial breaches to launch further attacks within organizations.
Phishing attacks were involved in 40% of security incidents, maintaining their prevalence as initial access vectors. Attackers employed sophisticated cascaded phishing campaigns, using compromised accounts to create tailored lures directed at trusted partners and internal users. The design of phishing emails shifted from traditional spam to workflow-style communications, making them harder to identify as malicious. Keywords commonly used in these phishing attempts included “request,” “invoice,” and “report,” showing a trend towards targeting everyday business tasks which posed familiarity to potential victims. This included the misuse of Microsoft 365 Direct Send, allowing attackers to send internal emails that appeared legitimate, without access to real accounts, thus bypassing scrutiny typically applied to inbound external emails.
The research identified a notable surge in attacks targeting identity and access management applications, with nearly one-third of multi-factor authentication spray attacks focusing on these systems. Attackers exploited weaknesses in authentication workflows to gain access and maintain control over user privileges. Device compromise incidents saw a distressing increase of 178%, largely driven by voice phishing techniques aimed at tricking administrators into accepting malicious devices. In particular, the higher education sector emerged as a significant target due to its diverse device ecosystem, coupled with potentially lax security protocols.
Defensive Context
Organizations utilizing multi-factor authentication must remain vigilant against tailored phishing attacks that exploit initial compromises. Higher education and sectors with diverse and unmanaged devices need to particularly focus on strengthening their identity and access controls. The study underscores the necessity of ensuring robust scrutiny for internal communications and adherence to strict device management policies.
Why This Matters
The shift towards cascaded phishing attacks and increased targeting of identity systems presents real-world risks for organizations, especially those in sectors like education where lax security protocols may exist. Companies with low scrutiny for internal communications could be more exposed to these sophisticated phishing techniques.
Defender Considerations
Organizations should prioritize monitoring for signs of phishing-related activities, especially for lures that appear to originate internally. Implementing stricter verification for direct send protocols and being cautious of managed devices could help reduce risks associated with compromised internal communications. While broad security measures are fundamental, tailoring defenses to specific environments and sectors is essential for effective threat mitigation.
The study highlights an important focus on evolving phishing tactics and their significant implications for organizational cybersecurity frameworks, demanding ongoing adaptation and vigilance.
