Get the latest cyber news and updates straight to your inbox.

MFA Isn’t Enough: Real Stories from the Frontlines

Cybersecurity is about minimizing risk. But as leaders, we need to ask ourselves the harder question: are we building systems that hold up when people make mistakes?

Because they will. According to the ICO, 44% of personal data breaches stem from human error. MFA, while critical, is just one control. And it’s not enough anymore. Attackers know how to get around it.

In this post, I want to share three incidents drawn from real stories and frontline experience. Some from our clients, others from industry-wide examples. Each one shows how good systems, and even good people, can be undermined.

We unpacking this further in our previous webinar, Hiding in Plain Sight: The Cyber Risks Built Into Your Daily Operation. Watch the replay here. If any of the examples below ring true, you won’t want to miss it.

Want to see where your vulnerabilities might be hiding?

Join our free Webinar on 23rd September

Reserve Your Spot Now

Incident #1: Approving the Enemy

A senior exec working abroad starts getting Microsoft Authenticator popups on his phone. No idea why. Assuming it’s something syncing in the background, he clicks approve. Done.

Except earlier that week, he’d entered his login credentials into a phishing page.

That popup wasn’t from Microsoft. It was from the attacker.

The result? Business Email Compromise. The attacker gets in and sets up mail forwarding rules, watching every message the exec sends and receives. These attacks often sit quiet for weeks, waiting for the perfect moment to strike — a vendor payment, a finance request, a client intro.

What made the difference:

The FoxTech SOC flagged the anomaly. We blocked access and isolated the issue quickly. Our logs showed exactly what was accessed, what wasn’t, and which other accounts needed reviewing. What could have been a board-level incident became a Tuesday clean-up.

Lesson:

Most MFA isn’t phishing-resistant. For sensitive roles and admin accounts, we advise passkeys, hardware security keys, or Windows Hello for Business. And of course, having a capable partner watching your environment 24/7.

Incident #2: The Spreadsheet That Slipped Through

During a routine penetration test, we found something unexpected: a spreadsheet containing the client’s entire customer list had been accidentally saved into a deployed web app.

One misplaced file in a dev project. That’s all it took.

Anyone who stumbled across that file could have downloaded the full customer list. Data of this nature, exposed, could have created a major reputational risk. If clients started questioning how their data was handled, the fallout could extend far beyond this one incident.

What did we do?

We notified the client, confirmed whether the file had been accessed, and helped them secure the environment.

Lesson:

Even trusted staff make mistakes. That’s why we test. That’s why we monitor. As Ronald Reagan said: “Trust, but Verify.”

Incident #3: OAuth Trickery and a Call from “IT”

Here’s how it works: an attacker impersonating IT support calls an employee. “We need you to check something in your Salesforce settings.” The employee, trying to be helpful, follows instructions and unknowingly installs a rogue connected app.

That app? It’s got access to sensitive data. Just like that, the attacker is inside. No breach. No brute force. Just a well-placed voice call and a few clicks.

This exact method was used by UNC6040, a threat actor Google has tracked across several high-profile breaches. Companies like Google, Cloudflare and others have been affected through supply chain vendors. Once attackers are in, they wait. Months later, they extort the business: pay in Bitcoin within 72 hours or risk public exposure.

What’s the fix?

Harden your cloud apps. Lock down app permissions. Train your team so they know not to approve unknown apps or follow unsolicited IT instructions. And critically, have monitoring in place so you know what was accessed in the event of a breach.

Lesson:

If attackers can’t break MFA, they’ll just ask your staff to let them in. Awareness training and cloud security posture reviews are must-haves, not nice-to-haves.

Curious about your firms weak spots?

Take the 60 second Cyber Risk Test

See what hackers see

Want to see where your vulnerabilities might be hiding?

Join our webinar, Hiding in Plain Sight: The Cyber Risks Built Into Your Daily Operation. A panel of four CISOs will cover their recent experiences tackling insider risk, navigating zero-day threats, and building security strategies that don’t fall apart when people slip up.

Reserve Your Spot Now

Let’s uncover the risks you can’t see yet.

Want to find out more about hidden cyber gaps?

Read our listicle where we cover 5 hidden gaps in mid-sized firms

Read About It Here

anthony.green

A CREST Practitioner and a recognised thought leader in cybersecurity, Anthony has designed and implemented some of the most secure systems in the UK. Working with the largest global corporations, advising Government on security best practice as well as small and medium businesses throughout the South East.

A business professional interacting with a virtual cyber security interface showing a digital lock symbol.

A Step-by-Step Guide to Scanning Your Network for Vulnerabilities

Cybercriminals continuously search for vulnerabilities. Whether seeking outdated software, misconfigured devices, or unprotected systems, these criminals will search for a way to exploit these vulnerabilities for financial gain, data theft, or disruption. Without proactive measures,

23 July 2025