Security 2026

Multi-factor authentication blocks a large share of credential theft and makes basic account takeover much harder. Turning it on was the right call. The mistake is treating it as the finish line.

MFA protects the moment of sign-in. It does very little to protect what happens after a user has successfully logged in. And that gap is exactly where a growing class of attacks now operates.

What this actually looks like

When you sign in to a web app, the site needs a way to remember that you have already proved who you are. So your browser holds a session token, often stored as a cookie. Think of it as a wristband at an event. Once you have been checked at the gate, the wristband proves you belong inside, and nobody asks again.

Session cookie hijacking is when an attacker steals that wristband. They are not beating your MFA prompt. They are skipping it, by replaying a session you already authenticated. There are three common ways this happens.

  • Adversary-in-the-middle phishing. You think you are signing in to a normal service, but the page in front of you is a lookalike that relays your login to the real site in real time. Everything appears to work, including the MFA prompt, while the attacker captures the session cookie on the way through. Microsoft has tracked campaigns of this type that attempted to target more than 10,000 organisations.
  • Browser-in-the-middle attacks. Here the attacker effectively takes control of the browsing session itself. As Google’s threat intelligence team puts it, stealing the session token is the equivalent of stealing the authenticated session, and at that point the attacker no longer needs to pass the MFA challenge.
  • Cookie theft straight off the device. No proxy required. If a laptop is compromised by malware, those session tokens can be pulled from the browser and reused elsewhere.

Why this matters

Once a valid session token is stolen, the attacker can reach the same apps and data as if they were sitting at your keyboard, and often without triggering another sign-in challenge.

For a small or medium business, that usually means a quiet takeover of a Microsoft 365 mailbox or a finance system. No password reset, no failed login alerts, no obvious sign that anything is wrong, until invoices start getting redirected or staff report odd messages. The Australian Signals Directorate flags this same pattern. Identity is now the front line, and the controls in the ASD Essential Eight assume that sign-in alone is not enough.

What actually works

No single product fixes this, so the practical response is a few controls that work together.

  • Make phishing harder to pull off. Move toward phishing-resistant sign-ins such as passkeys or hardware security keys for staff with access to sensitive systems. These resist the adversary-in-the-middle trick that ordinary code-based MFA does not.
  • Treat device health as part of identity. A session should only be trusted from a known, compliant device. If the laptop is not managed and healthy, the session does not get the keys to the kingdom.
  • Tighten session behaviour for high-risk access. Shorter session lifetimes, re-authentication for sensitive actions, and conditional access rules all shrink the window an attacker has to reuse a stolen token.
  • Watch for suspicious access patterns. A sign-in from an unusual location, an impossible travel time, or a new device are all signals that a session may be getting replayed. Detection that catches this early turns a silent breach into a contained incident.

This lines up neatly with the frameworks Australian SMBs are already being asked about, including the ASD Essential Eight and the SMB1001 cyber security standard. The point is balance. MFA stays as a strong baseline, and the protections around the session do the work MFA was never designed to do.

Where Agile IT fits

This is the kind of layered identity and email protection we build through AgileSECURE. We configure phishing-resistant authentication, device-based conditional access, sensible session policies, and monitoring that flags suspicious access, all mapped to the ASD Essential Eight and SMB1001 so you can show where you stand. It works alongside AgileMANAGED, where keeping devices patched, managed and healthy is part of the day-to-day, because a trusted session depends on a trusted device.

The takeaway: MFA protects the login. It does not protect the session that comes after it. If you are not sure how exposed your sign-ins are right now, start with a conversation. We work with the business first, technology second.