See Your Risk Score
See Your Risk Score
Get a Demo
Get a Demo
Get Started Free
Get Started Free

Contents

Newsletter

Get the latest cyber news and updates straight to your inbox.

MFA Isn’t Enough: Real Stories from the Frontlines

Cybersecurity is about minimizing risk. But as leaders, we need to ask ourselves the harder question: are we building systems that hold up when people make mistakes?

Because they will. According to the ICO, 44% of personal data breaches stem from human error. MFA, while critical, is just one control. And it’s not enough anymore. Attackers know how to get around it.

In this post, I want to share three incidents drawn from real stories and frontline experience. Some from our clients, others from industry-wide examples. Each one shows how good systems, and even good people, can be undermined.

We’ll be unpacking this further in our upcoming webinar, Hiding in Plain Sight: The Cyber Risks Built Into Your Daily Operation. Register here. If any of the examples below ring true, you’ll want to be there.

MFA Vulnerabilities and How Organisations Can Protect Themselves

CyberSecurity Experts share common MFA pitfalls and practical advice for organisational adoption of fishing resistant solutions in this webinar snippet

Hear the Expert Advice

Incident #1: Approving the Enemy

A senior exec working abroad starts getting Microsoft Authenticator popups on his phone. No idea why. Assuming it’s something syncing in the background, he clicks approve. Done.

Except earlier that week, he’d entered his login credentials into a phishing page.

That popup wasn’t from Microsoft. It was from the attacker.

The result? Business Email Compromise. The attacker gets in and sets up mail forwarding rules, watching every message the exec sends and receives. These attacks often sit quiet for weeks, waiting for the perfect moment to strike — a vendor payment, a finance request, a client intro.

What made the difference:

The FoxTech SOC flagged the anomaly. We blocked access and isolated the issue quickly. Our logs showed exactly what was accessed, what wasn’t, and which other accounts needed reviewing. What could have been a board-level incident became a Tuesday clean-up.

Lesson:

Most MFA isn’t phishing-resistant. For sensitive roles and admin accounts, we advise passkeys, hardware security keys, or Windows Hello for Business. And of course, having a capable partner watching your environment 24/7.

Incident #2: The Spreadsheet That Slipped Through

During a routine penetration test, we found something unexpected: a spreadsheet containing the client’s entire customer list had been accidentally saved into a deployed web app.

One misplaced file in a dev project. That’s all it took.

Anyone who stumbled across that file could have downloaded the full customer list. Data of this nature, exposed, could have created a major reputational risk. If clients started questioning how their data was handled, the fallout could extend far beyond this one incident.

What did we do?

We notified the client, confirmed whether the file had been accessed, and helped them secure the environment.

Lesson:

Even trusted staff make mistakes. That’s why we test. That’s why we monitor. As Ronald Reagan said: “Trust, but Verify.”

Incident #3: OAuth Trickery and a Call from “IT”

Here’s how it works: an attacker impersonating IT support calls an employee. “We need you to check something in your Salesforce settings.” The employee, trying to be helpful, follows instructions and unknowingly installs a rogue connected app.

That app? It’s got access to sensitive data. Just like that, the attacker is inside. No breach. No brute force. Just a well-placed voice call and a few clicks.

This exact method was used by UNC6040, a threat actor Google has tracked across several high-profile breaches. Companies like Google, Cloudflare and others have been affected through supply chain vendors. Once attackers are in, they wait. Months later, they extort the business: pay in Bitcoin within 72 hours or risk public exposure.

What’s the fix?

Harden your cloud apps. Lock down app permissions. Train your team so they know not to approve unknown apps or follow unsolicited IT instructions. And critically, have monitoring in place so you know what was accessed in the event of a breach.

Lesson:

If attackers can’t break MFA, they’ll just ask your staff to let them in. Awareness training and cloud security posture reviews are must-haves, not nice-to-haves.

Curious about your firms weak spots?

Take the 60 second Cyber Risk Test

See what hackers see

CASE STUDY: The Dangers of Relying on MSPs for Cybersecurity

See how FoxTech Cyber uncovered critical vulnerabilities an MSP missed.

Read the Client Study
Picture of anthony.green

anthony.green

A CREST Practitioner and a recognised thought leader in cybersecurity, Anthony has designed and implemented some of the most secure systems in the UK. Working with the largest global corporations, advising Government on security best practice as well as small and medium businesses throughout the South East.
giles.atkinson

Risk and Security Management

Ever found yourself blindsided by a vulnerability you never knew existed? Picture this: worn-out brake pads lead to a sudden failure at an intersection, propelling you into oncoming traffic. Often in risk impact analysis, we

Read More »
28 April 2023