top of page
Search

MFA Isn’t Enough Anymore

  • Alan S
  • Dec 29, 2025
  • 5 min read

The rise of token theft + “Approve Access” scams hitting small businesses


If you’re a business owner, you’ve probably heard the standard advice for years:

  • Use strong passwords

  • Turn on Multi-Factor Authentication (MFA)

  • Train employees not to click suspicious links


That advice is still good. But here’s the uncomfortable update:

Attackers are increasingly bypassing passwords (and even MFA) by stealing “login tokens” or tricking users into approving access.In plain English: they’re finding ways to sign in as you without needing your password again.


This post breaks down what’s happening, why it matters to SMBs, and what you can do, without needing to be technical.


Sign-in approval pop-up

The new reality: attackers want “tokens,” not passwords

When you sign in to Microsoft 365, Google Workspace, or a SaaS app, you don’t want to type your password every five minutes. So these platforms create a session, a “you’re verified” pass that stays active for a period of time. That pass is often a token (sometimes it behaves like a cookie in your browser). If an attacker gets that token, they may not need your password, or your MFA code to get into your email or apps.


Think of it like this:

  • Password = the key

  • MFA = the deadbolt

  • Token = the “already let in” wristband you got when you entered the venue

If someone steals the wristband, they can walk right back in.


Two common MFA attacks SMBs are seeing now

  1. “Enter this code” sign-in scams (device-code phishing)

    This one feels legit because it often uses a real login page.

    Here’s the flow:

    1. The employee gets a message (email/text/Teams) that looks urgent:“Security update needed. Sign in to keep access.”

    2. They click a link and are told to enter a short code on a sign-in page.

    3. The employee enters the code… and unknowingly approves the attacker’s login.

The attacker is sitting elsewhere, waiting for that approval. Once it happens, they’re in.

Why it works: It doesn’t “steal a password” in the usual way, it tricks someone into authorizing access.


  1. “Approve this app” scams (OAuth consent attacks)

    This is sneaky and very common in SaaS-heavy environments.

    It looks like:

    • “This app would like permission to access your email/profile/files.”

    The user clicks Allow (often trying to be helpful or move quickly), and now a malicious app may have access.

    Even worse: the access can sometimes persist, meaning the attacker doesn’t need to keep logging in. They can keep pulling data in the background.

    Why it works: It looks like a normal “connect an app” workflow, something modern businesses do all the time.


Why SMBs are especially exposed

Large companies usually have dedicated security teams controlling:

  • which apps can connect

  • who can approve access

  • how long sessions last

  • alerts when unusual logins happen

SMBs often don’t.

SMBs also tend to have:

  • lots of cloud tools (Microsoft 365/Google + CRM + accounting + e-sign + payroll)

  • shared inboxes (info@, accounting@)

  • busy employees who are rewarded for moving fast

  • limited visibility into “who approved what”

This is exactly the environment attackers love.


The real-world business impact (what this turns into)

When attackers get access through tokens or approvals, the outcomes often look like:

  • Invoice fraud / payment redirection (they sit in your email, watch how you pay vendors, then intercept and change wiring instructions)

  • Payroll diversion (direct deposit changes)

  • Client data exposure (files or emails accessed)

  • Ransomware staging (email compromise becomes the foothold to attack other systems)

  • Operational disruption (account lockouts, email rules, reputation damage)

These are not “big enterprise” problems anymore. They’re very normal SMB claims.


What you can do this week (non-technical checklist)

You don’t need to overhaul everything tomorrow. Start with a few high-value moves:


A) Lock down “who can approve apps”

Goal: employees should not be able to approve random third-party apps without review.

Ask your IT provider (or internal admin):

  • Can users approve new apps themselves?

  • Do we require admin approval for new app connections?

  • Do we have an “approved apps” list?

If you don’t know the answers, that’s the point, find out.


B) Audit connected apps (and remove what you don’t recognize)

Every business has old integrations that nobody uses anymore.

Do a quick review:

  • What apps are connected to Microsoft 365 / Google Workspace?

  • Which apps have access to email, files, contacts?

  • Remove anything unknown, unnecessary, or suspicious.

This is one of the simplest ways to cut off “persistent access.”


C) Protect the “money roles” first

If you do nothing else, prioritize:

  • Owners

  • Admin accounts

  • Finance / bookkeeper

  • Payroll

  • Anyone who can change bank info or approve payments

Add stronger protection here first (even before rolling it out to the whole company).


D) Move toward phishing-resistant sign-in for key users

Not all MFA is equal.

SMS codes and “approve a push notification” are better than nothing, but attackers are designing scams specifically to defeat these.

A practical approach:

  • Start with admins + finance

  • Consider passkeys or security keys (best for phishing resistance)

  • Tighten sign-in rules (device checks, location checks) where possible

You don’t need to boil the ocean, just protect the accounts that can hurt you most.


E) Make sure someone is watching for the right signals

Token-based attacks can look like “normal logins.”

You want monitoring/alerts for:

  • new inbox rules created

  • mass forwarding enabled

  • new apps granted access

  • impossible travel / unusual sign-ins

  • admin role changes

If your IT provider says “you have MFA so you’re good,” that’s outdated thinking in 2025.


How this connects to cyber insurance (and why it matters)

Cyber insurance applications often ask questions like:

  • Do you use MFA? For which users?

  • Do you restrict privileged/admin access?

  • Do you monitor for suspicious logins and email rule changes?

  • Do you control third-party app access?

Here’s the key: underwriters are increasingly trying to understand whether you’re protected against account takeover, not just whether you turned on MFA.

And for the business owner, the risk isn’t only higher premiums.

If an application overstates controls (“Yes, we restrict app approvals” when employees can approve anything), that can create major headaches during a claim.


This is where Hudson helps!

Most SMB owners don’t need another security buzzword, they need a clear path:

  1. What’s actually at risk in our environment?

  2. What controls matter most for insurance and real-world protection?

  3. What’s the practical gap plan (and budget) to get there?

That’s exactly what we do at Hudson.


We help business owners:

  • translate security reality into accurate, defensible insurance applications

  • identify the specific gaps that drive denials, exclusions, or premium spikes

  • prioritize fixes that reduce risk and strengthen underwriting posture

  • coordinate with your IT/MSP so improvements actually get implemented


If you’re renewing a cyber policy, or buying for the first time, this is the moment to make sure your “MFA story” matches today’s threats.


Want a quick readiness check focused on identity and account takeover?Hudson can walk you through it in plain English and turn it into an actionable plan.


Phone: (212) 655-9383

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page