Good ol’ MFA. It’s the bane of existence for people who want to log in quickly. For cybersecurity professionals, however, MFA has long been a source of reassurance. But some of that confidence is beginning to fade.
For years, organizations have treated multi-factor authentication as the gold standard of access security. But attackers have found ways around it, and the data shows this is no longer an outlier threat. Verizon’s 2026 Data Breach Investigations Report identifies authentication bypass through stolen session tokens and OAuth abuse as one of the year’s top trends. The Guardz 2026 MSP Threat Report reinforces that finding, reporting a 23 percent increase in session hijacking incidents and a staggering 2,000 percent spike in Google Workspace OAuth abuse. The attack has evolved — and so must defenses.
Why attackers are targeting sessions instead of passwords
“The first thing to understand is that attackers are changing their objective,” Trevor Horwitz, CISO and founder of TrustNet, tells SmarterMSP.com.
“Historically, the goal was to steal usernames and passwords. Today, we’re increasingly seeing attackers target authenticated sessions instead. If they can steal a valid session token, they may not need your password or even your multi-factor authentication code because they’re taking over an authenticated session.”
Renze Jongman, CEO of Liberty91 and a former member of Europol’s J-CAT, explains how it works.
“With token theft, the victim logs in properly and passes 2FA. Then an infostealer like RedLine steals the session cookie from their browser, or an adversary-in-the-middle kit like Evilginx or Tycoon sits in front of the real login page and captures the token while they type.”
The attacker doesn’t crack anything, he says.
“They just import that cookie and pick up the session exactly where the victim left off, and MFA is already satisfied at that point.”
How stolen sessions are exploited
Ran Geva, CEO of Webz.io, a dark web intelligence firm, describes how quickly stolen session data can be weaponized. Infostealers such as Lumma, RedLine, Vidar, and StealC extract browser cookies, session databases, and saved credentials. They target Chrome, Edge, Firefox, and other Chromium-based browsers. Attackers can exploit stolen data within minutes of stealing it.
“We do know of cases where attackers abused high-profile companies’ session data within minutes of the log file being uploaded,” Geva says. He also warns that changing a password after a compromise doesn’t necessarily eliminate the threat. “Even if you changed the passwords and even if you utilize MFA, the fact that the hacker has your session cookie means that they can enter as you to the service using this cookie.”
OAuth abuse creates a second path to compromise. Jongman explains: “The victim is tricked into granting a malicious app access to their account. They put up a fake website and have them ‘log in with Google,’ and the attacker can then use that token to access the account without needing to log in at all.”
In both scenarios, attackers inherit the victim’s permissions, allowing them to read email, send messages, and access trusted services.
Why MFA alone is no longer enough
Horwitz says this shift creates a major challenge for MSPs.
“MFA does an excellent job of verifying identity at the point of login, but it doesn’t necessarily protect what happens after authentication. Once users establish a session, organizations must protect that session just as carefully as they protect credentials.”
The attack vectors are often deceptively ordinary. “Phishing, malicious browser extensions, endpoint malware, and users unknowingly granting excessive permissions to third-party OAuth applications all play a role. Rather than breaking authentication, attackers exploit trust that users and systems have already established.”
Organizations can no longer treat authentication as a one-time event.
Building a layered defense against session hijacking
All three experts agree that defending against session hijacking requires a layered approach.
Geva points to session lifetime management as one of the most overlooked controls. “The most protected solutions are those that invalidate cookies after a few minutes of inactivity,” he says. These controls reduce the chances attackers can exploit stolen session data.
Geva also recommends monitoring employee credentials against dark web and infostealer data sources. If an account appears in a stealer log, organizations should do more than reset passwords. “That will require a complete clean-up — not just a wipe of the machine, but a reset of every single password that person has, anywhere, because all of them are likely compromised at that point.”
Strengthening endpoint and OAuth defenses
Jongman emphasizes endpoint security and user hygiene. “Not getting infostealers on your machine is the single most important thing — prevention and cyber hygiene.” He also advises against storing passwords in browsers. “If it isn’t there, you can’t steal it. Use a password manager instead.”
To reduce OAuth abuse, Jongman recommends restricting third-party app consent in Microsoft 365 and Google Workspace to an administrator-approved allowlist.
“Locking third-party app consent in Workspace and M365 down to an admin allowlist kills most of the OAuth abuse in one move.” He also points to passkeys and device-bound sessions as another layer of protection. “Passkeys with device-bound sessions make a stolen cookie worthless off the original machine.”
Continuous verification is the future of authentication
Horwitz rounds out the defensive strategy with tighter OAuth controls, regular reviews of third-party application access, conditional access policies, and monitoring for suspicious session activity.
Organizations should watch for impossible travel, device changes, and unusual access patterns. They can further limit attackers’ opportunities by shortening session lifetimes and continuously validating sessions. “We can no longer think of authentication as a single event that happens at login,” Horwitz says. “Modern security requires continuous verification throughout the lifetime of a session. As attackers increasingly target authenticated sessions instead of passwords, organizations must shift their focus from credential protection to securing the entire identity lifecycle.”
Tools such as Barracuda XDR can help MSPs put continuous monitoring into practice. They provide around-the-clock detection of anomalous session behavior, including impossible travel, device changes, and unusual access patterns. These signals can help identify compromised tokens before significant damage occurs.
Photo: New Africa / Shutterstock
