The new baseline isn't a code on your phone.
Why MFA isn't enough in 2026
The attacks that defeat SMS and authenticator MFA are mainstream now. Here's what to deploy instead.
The world has moved on from “just turn on MFA”
For most of the last decade, the standard cyber security advice for small businesses was simple: enable Multi-Factor Authentication and you’ve solved 99% of account takeovers. In 2026 that advice is officially out of date. Attackers now run automated kits — sold for a few hundred dollars on Telegram — that defeat SMS codes and basic authenticator-app prompts in real time.
This isn’t theoretical. Letsma sees these attacks weekly against Surrey-based clients. The good news: you don’t need to panic-buy new tooling. Most of the defences live inside the Microsoft 365 licences you already pay for.
How modern attackers beat ordinary MFA
1. Adversary-in-the-middle (AiTM) phishing
The user clicks a phishing link, lands on a fake Microsoft login that’s actually a transparent proxy. They type their password, the proxy forwards it to real Microsoft, Microsoft sends them an MFA prompt, they approve it — and the proxy steals the resulting session cookie. The attacker now is the user, MFA notwithstanding.
2. MFA fatigue / push bombing
The attacker already has the password (from a breach elsewhere). They trigger MFA prompt after MFA prompt — sometimes 30 in a row, often at 2am — until the exhausted user taps “Approve” just to make it stop.
3. SIM swap
The attacker convinces the mobile carrier to move the victim’s number to a new SIM. SMS codes now arrive at the attacker’s phone. UK carriers have improved on this, but it still happens.
4. OAuth consent phishing
The attacker doesn’t steal the password at all. They get the user to “consent” to a malicious third-party app that grants persistent access to mailbox, files and calendars — bypassing MFA entirely.
The 2026 baseline: what to do instead
1. Number matching (free, available now)
In Microsoft 365, switch your MFA method from “Approve / Deny” prompts to number matching. The user sees a 2-digit number on the login screen and must type it into the Authenticator app. Push-bombing instantly fails — the attacker doesn’t know the number to enter.
2. Conditional Access policies (Business Premium / Entra ID P1)
- Trusted locations — block or step up MFA for sign-ins outside the UK.
- Compliant devices only — require Intune-enrolled devices for high-risk apps.
- Block legacy authentication — POP, IMAP and basic auth bypass MFA entirely. Turn them off.
- Sign-in risk policies — high-risk sign-ins get blocked or stepped up to phishing-resistant MFA.
3. Phishing-resistant MFA for admins (the real fix)
For any account with administrative privileges, move beyond authenticator apps to a FIDO2 security key (YubiKey, Feitian, Token2) or a passkey. These methods cryptographically bind the login to the legitimate domain — an AiTM proxy literally cannot relay the credential.
YubiKey 5 series keys are around £45 each. Issuing two per admin (one in use, one in a safe) costs less than the average cyber-insurance excess.
4. Token / session lifetime policies
Reduce how long a stolen session cookie remains valid. Conditional Access can force re-authentication after a short window for sensitive apps.
5. Block third-party OAuth consent
In Entra ID, change “user consent for applications” from “Allow user consent” to “Do not allow user consent” — or restrict it to verified publishers.
6. Continuous Access Evaluation (CAE)
Available in Business Premium. When something risky happens (user signs in from a new country, password is reset), Microsoft kills existing sessions across the tenant within minutes.
What this costs
| Layer | Licence required | Letsma cost |
|---|---|---|
| Number matching | Any M365 | Included in managed contract |
| Conditional Access policies | Business Premium / Entra ID P1 | Included in managed contract |
| FIDO2 / passkey for admins | Any M365 | ~£45 / key + 30 min setup per admin |
| OAuth consent lockdown | Any M365 | Included in managed contract |
| Continuous Access Evaluation | Business Premium / Entra ID P1 | Included in managed contract |
The honest summary
If you have Microsoft 365 Business Premium today, the 2026 baseline is largely a configuration change rather than a buying decision. The hardest part is the policy design — getting Conditional Access right without locking out your sales team in airports — and that’s where Letsma earns its fee.
“Letsma caught an AiTM attempt against our finance director within 90 seconds of the session cookie being stolen. The Conditional Access policy revoked the session before the attacker could open the mailbox.”
— Operations Director, Crawley
Ready to review your baseline?
We’ll spend an hour mapping your current Conditional Access and MFA configuration against the 2026 baseline.
Book a security baseline reviewRelated reading: Cyber Security at Letsma · Phishing 101 for staff · Cyber Essentials made simple