← All stories

Cisco Talos Intelligence

Phishing and MFA exploitation: Targeting the keys to the kingdom

Kri Dontje · 2026-04-21 · Read original ↗

ATT&CK techniques detected

15 predictions

T1566.002Spearphishing Link

98%

"changeable formats or poorly - rendered templates, leading to a lowered guard toward spotting malicious intent. attackers were likely aiming to steal credentials, payment information, or mfa tokens via fake single sign - on ( sso ) pages. in reviews of thousands of blocked - emai…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1621Multi-Factor Authentication Request Generation

89%

"inside the organization, without compromising real accounts, to target key attack services and deliver high - impact damage. mfa and identity attacks identity and access management ( iam ) applications have grown popular with organizations hoping to consolidate user privileges. u…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1621Multi-Factor Authentication Request Generation

84%

"poorly patched and managed operating systems · necessarily low new - device verification policies · large, public - facing directories for targeted phishing higher education was a very unfavorable target for mfa spray attacks, however. passwords and mfa are also highly varied and…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1621Multi-Factor Authentication Request Generation

79%

"phishing and mfa exploitation : targeting the keys to the kingdom in 2025, attackers increasingly targeted weaknesses in multi - factor authentication ( mfa ) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. the trend…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1621Multi-Factor Authentication Request Generation

78%

", good password hygiene, and conditional access. device compromise works best on variable networks where devices change over fast and mfa use is spotty. work on establishing better device hardening and management, session controls, and strict phishing - resistant mfa with enrollm…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1110.003Password Spraying

67%

"inside the organization, without compromising real accounts, to target key attack services and deliver high - impact damage. mfa and identity attacks identity and access management ( iam ) applications have grown popular with organizations hoping to consolidate user privileges. u…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1111Multi-Factor Authentication Interception

61%

"inside the organization, without compromising real accounts, to target key attack services and deliver high - impact damage. mfa and identity attacks identity and access management ( iam ) applications have grown popular with organizations hoping to consolidate user privileges. u…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.002Spearphishing Link

57%

"phishing and mfa exploitation : targeting the keys to the kingdom in 2025, attackers increasingly targeted weaknesses in multi - factor authentication ( mfa ) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. the trend…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1556.006Multi-Factor Authentication

55%

", good password hygiene, and conditional access. device compromise works best on variable networks where devices change over fast and mfa use is spotty. work on establishing better device hardening and management, session controls, and strict phishing - resistant mfa with enrollm…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1111Multi-Factor Authentication Interception

53%

", good password hygiene, and conditional access. device compromise works best on variable networks where devices change over fast and mfa use is spotty. work on establishing better device hardening and management, session controls, and strict phishing - resistant mfa with enrollm…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1556.006Multi-Factor Authentication

49%

"inside the organization, without compromising real accounts, to target key attack services and deliver high - impact damage. mfa and identity attacks identity and access management ( iam ) applications have grown popular with organizations hoping to consolidate user privileges. u…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1586.002Email Accounts

44%

"phishing and mfa exploitation : targeting the keys to the kingdom in 2025, attackers increasingly targeted weaknesses in multi - factor authentication ( mfa ) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. the trend…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1534Internal Spearphishing

43%

"phishing and mfa exploitation : targeting the keys to the kingdom in 2025, attackers increasingly targeted weaknesses in multi - factor authentication ( mfa ) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. the trend…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566Phishing

38%

"changeable formats or poorly - rendered templates, leading to a lowered guard toward spotting malicious intent. attackers were likely aiming to steal credentials, payment information, or mfa tokens via fake single sign - on ( sso ) pages. in reviews of thousands of blocked - emai…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1566.003Spearphishing via Service

31%

"phishing and mfa exploitation : targeting the keys to the kingdom in 2025, attackers increasingly targeted weaknesses in multi - factor authentication ( mfa ) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. the trend…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

In 2025, attackers increasingly targeted weaknesses in multi-factor authentication (MFA) workflows, and phishing attacks leveraged valid, compromised credentials to launch lures from trusted accounts. The trends focused entirely on trust, or the lack thereof, in everyday business operations.