Voice phishing bypasses MFA: How attackers hijack financial sector accounts

In the past year, financial services firms faced an escalating threat that doesn’t rely on stolen passwords—it exploits the very systems designed to prevent them. Security researchers have documented a growing wave of voice phishing campaigns that trick employees into resetting their multi-factor authentication (MFA) credentials, granting attackers persistent access to corporate networks. This technique has become the dominant initial access method in the sector, bypassing traditional security controls that were previously considered robust.

The rise of voice phishing in financial services

Security firm CrowdStrike’s latest threat landscape report reveals that Mutant Spider, an active threat group, has emerged as the most persistent adversary in financial services over the past 12 months. Instead of deploying malware or exploiting software vulnerabilities, the group leverages voice phishing—specifically through Microsoft Teams calls—posing as internal IT support to manipulate employees. Victims are convinced to reset their credentials and MFA, allowing attackers to register their own devices on corporate networks. The security systems functioned as intended, but the human element became the weakest link.

The financial toll of such attacks is staggering. CrowdStrike reports that financial services organizations experienced a 43% increase in hands-on-keyboard intrusions globally in 2025 compared to 2023, with North America seeing a 48% rise. The e-crime landscape has expanded rapidly, with 423 financial institutions named on dedicated leak sites in 2025—a 27% increase from the previous year. Among these, REVENANT SPIDER’s Qilin ransomware-as-a-service program accounted for the highest number of victims, with its financial services targets jumping from 14 to 97 in just 12 months.

Token theft: The new credential theft

A parallel threat emerged in May 2025 when the FBI issued a public service announcement about Kali365, a phishing-as-a-service platform sold on Telegram for as little as $250 per month. This tool exploits Microsoft 365’s OAuth token authentication flow to capture legitimate device tokens. Unlike traditional phishing, the MFA prompt appears on the victim’s device, not the attacker’s, rendering secondary authentication checks ineffective. Once obtained, the token grants persistent access to Outlook, Teams, and OneDrive without triggering additional MFA prompts, creating a backdoor that remains undetected for extended periods.

The Verizon 2026 Data Breach Investigations Report corroborates these findings, noting that credential theft now accounts for only 13% of breach initial access vectors, down from previous years. Vulnerability exploitation has taken the top spot at 31%, signaling a fundamental shift in attack methodologies. While MFA remains effective against password-based breaches, it fails to address the growing wave of token theft and social engineering tactics now dominating the financial sector.

State-sponsored threats and operational sophistication

State-sponsored adversaries have also escalated their activities, adding scale and precision to their attacks. North Korea-linked groups stole an estimated $2.02 billion in digital assets in 2025, a 51% increase from the prior year. In February 2025, the Pressure Chollima group executed the largest single cryptocurrency theft on record, compromising Safe{Wallet} and stealing $1.46 billion after infecting a developer’s machine via a trojanized Python project.

Meanwhile, Chinese-nexus groups have conducted sustained campaigns against financial institutions across multiple continents. Hollow Panda exploited vulnerabilities in Check Point VPN appliances to target banks in the Philippines, Indonesia, and Brazil, while Vault Panda gained initial access through compromised VPN and firewall devices. These attacks highlight the increasing sophistication of state-sponsored actors, who are leveraging both technical exploits and social engineering to breach high-value targets.

The human factor: MFA’s critical gap

Security experts emphasize that the current wave of attacks thrives on human error rather than technical vulnerabilities. Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, succinctly captured the issue: “Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?” This sentiment underscores the structural shift in threat actor tactics, where social engineering has become the primary attack vector.

Mutant Spider’s campaigns demonstrate the full lifecycle of such attacks. After convincing an employee to reset their MFA, the group deploys custom post-access tools like PrionFlaire, SocksLoader, and SleepyMutagen. CrowdStrike believes these tools are often sold to ransomware operators, illustrating how initial access can quickly escalate into full-scale intrusions. Similarly, Scattered Spider resumed ransomware operations in mid-2025, targeting insurance companies using the same social engineering playbook that has defined its attacks since 2022.

The convergence of voice phishing, token theft, and state-sponsored campaigns paints a sobering picture for financial services security teams. While MFA remains a critical security control, its limitations in countering social engineering and token-based attacks are now glaringly apparent. Organizations must adopt layered defenses, including rigorous identity verification, continuous monitoring for suspicious device registrations, and comprehensive employee training to mitigate these evolving threats.