The attack dominating financial services doesn't steal passwords. It resets MFA and steals the token.

본 기사는 CrowdStrike 2026 Financial Services Threat Landscape Report를 인용해, 최근 12개월간 금융권에서 가장 활발했던 위협 행위자로 Mutant Spider를 지목합니다. 이 그룹은 Microsoft Teams 기반 음성 피싱으로 IT 지원 담당자를 사칭해 MFA 재설정을 유도하고, 자체 기기를 기업 네트워크에 등록했습니다. FBI의 Kali365 경고와 Verizon DBIR 역시 Microsoft 365 OAuth 토큰 탈취와 취약점 악용이 비밀번호 탈취를 대체하는 초기 접근 경로로 부상했음을 보여줍니다.

이번 사례는 MFA가 실패한 것이 아니라, 계정 복구·기기 등록·토큰 발급 절차가 공격 표면으로 전환됐다는 점을 보여줍니다. 금융사는 MFA 우회를 단순 인증 문제가 아니라 helpdesk 검증, device code flow 통제, OAuth 권한 관리, 세션 토큰 모니터링을 포함한 identity 운영 리스크로 다뤄야 합니다. 초기 접근의 중심이 비밀번호에서 토큰과 취약점으로 이동하면서, 보안 투자는 사용자 인증 강화에서 지속적 접근 검증과 권한 남용 탐지로 확장될 가능성이 큽니다.

The attacker who hit the most financial services organizations over the past 12 months never phished a password. They called an IT support line, convinced an employee to reset their MFA, and registered their own device on the network.CrowdStrike’s 2026 Financial Services Threat Landscape Report, released this month and covering activity from April 2025 through March 2026, identified Mutant Spider as the single most active threat to the financial services sector. The group’s primary technique was voice phishing over Microsoft Teams. Operators impersonated internal IT support, convinced employees to reset their credentials and multifactor authentication, then registered their own devices on corporate networks. The security control worked exactly as designed — and that was the problem.Within days, the FBI published a public service announcement warning about Kali365, a phishing-as-a-service platform sold on Telegram for as little as $250 a month. Kali365 captures Microsoft 365 OAuth tokens through the legitimate device code authentication flow. MFA fires on the victim’s device, not the attacker’s. The token grants persistent access to Outlook, Teams, and OneDrive without triggering another MFA prompt.The Verizon 2026 Data Breach Investigations Report, also released in May, confirmed that credential theft dropped to 13% of breach initial access vectors. Vulnerability exploitation took the top position at 31%, displacing what Verizon called the longtime leading initial-access category. That's three independent sources, same structural finding. MFA protects password-based authentication, but the attacks dominating financial services increasingly bypass password theft through resets, token grants, and exploitation. The MFA Bypass Exposure Audit Grid at the end of this article maps all five confirmed attack surfaces from the CrowdStrike, FBI, and Verizon reports, what MFA misses on each one, and the specific fix for Monday morning.The CrowdStrike numbers paint a sector under sustained pressureFinancial services ranked as the fourth most targeted sector by Q1 2026, accounting for 12% of all observed adversary activity, according to the CrowdStrike report. Globally, financial institutions faced 43% more hands-on-keyboard intrusions in 2025 compared to two years earlier. In North America, that figure was 48%.The e-crime side of the problem grew faster than most defenders expected. Big game hunting operators named 423 financial services entities on dedicated leak sites during the reporting period. That is a 27% increase from the 334 entities named in the prior 12 months. REVENANT SPIDER, which operates the Qilin ransomware-as-a-service program, posted the most financial services victims of any e-crime adversary on its dedicated leak site. The group’s financial services victim count jumped from 14 to 97 over the reporting period.“Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?” Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told VentureBeat. That one sentence captures the structural shift his team documented across twelve months of financial services intrusions.The interactive intrusion breakdown tells the story of who is actually getting inside these networks. E-crime actors drove 75% of hands-on-keyboard intrusions against financial services. State-sponsored adversaries accounted for the remaining 25%. That ratio has not moved since 2023. What changed is the total volume and the sophistication of the access techniques.Mutant Spider’s vishing campaigns over Microsoft Teams represent a structural shift in initial access. The group impersonates IT support, manipulates employees into resetting MFA, then deploys custom post-access tools including PrionFlaire, SocksLoader, and SleepyMutagen. CrowdStrike believes the group sells that access to ransomware operators. The Teams call is step one. The ransom note is step five.“Who needs a zero day if all you have to do is call the help desk and say, 'I forgot my password'?”Scattered Spider returned to aggressive ransomware operations against insurance companies from April through July 2025, following a significant operational pause that began in December 2024. The group ran the same playbook it has used since 2022: help desk social engineering; credential and MFA reset requests; then lateral movement through integrated SaaS applications to locate data for extortion. In September 2025, the U.K.’s National Crime Agency arrested and charged two members for allegedly targeting Transport for London. The U.S. Department of Justice separately charged one of them in connection with multiple cyberattacks against U.S. critical infrastructure.State-sponsored groups added scale and speedThe report’s state-sponsored findings reinforce the identity problem from a different direction. DPRK-nexus adversaries stole $2.02 billion in digital assets in 2025, a 51% increase from the prior ye