From Silver Bullet to Speed Bump: MFA Phishing and the New Reality for Cyber Insurers
Introduction
Over the last decade, Multi-Factor Authentication (“MFA”) has increasingly been held up as one of the most effective controls against cyber-crime. During the ‘hard’ cyber insurance market in Australia in 2020 and 2021, insurers started to focus more closely on cyber security controls because of rising claims and insureds were required to confirm that MFA was implemented on key systems such as remote access and VPN’s. Insurers now expect MFA, as part of baseline eligibility requirements and this is reflected in modern cyber proposal and application forms.
Insurers pushed hard for this MFA adoption and with good reason. MFA dramatically reduces losses from basic credential theft and has become a cornerstone requirement of cyber insurance underwriting.
Today, however, the threat landscape is shifting. Attackers are no longer simply stealing passwords; they are actively targeting MFA itself. The rise of MFA Phishing techniques is forcing cyber insurers to rethink assumptions about risk, controls and loss prevention.
The Rise of MFA Phishing
Attackers are adapting quickly. Threat actors are now working around MFA, using techniques such as:
• Man-in-the-middle phishing pages that capture credentials and MFA tokens in real time;
• Session and authentication token theft, allowing attackers to bypass MFA entirely once a user is logged in.
Crucially, many of these attacks succeed even when MFA is technically enabled.
What This Means for Cyber Insurers
For insurers, MFA Phishing may result in a steady increase in claims driven by Business E-Mail Compromise (“BEC”) and Cloud account takeovers. The implications for cyber insurers may be significant:
Additional Underwriting CriteriaInsurers may be required to assess in greater detail how MFA is implemented and how resistant it is to phishing. They may be forced from asking “Do you have MFA?” to questions around Conditional Access, E-Mail protections and phishing-related MFA. In the SME market, which currently places a great emphasis on trying to create a frictionless sales process, such additional underwriting questions will create challenges for insureds and SME-specialist brokers.
Vulnerability ScansMany insurers use external attack-surface scanning to automatically scan a business’s external facing assets. Such tools do have a limited use, but these vulnerability scans cannot directly detect MFA phishing tools or techniques. MFA Phishing does not exploit a software vulnerability within the insured’s environment; instead, it relies on external phishing infrastructure and social engineering to intercept user credentials and authentication tokens in real time. As a result, a clean vulnerability scan does not necessarily indicate a reduced risk of MFA-related compromise, BEC or Cloud account takeover.
Artificial Intelligence (“AI”)Right now, MFA Phishing tends to be targeted because it’s more complex to set up (reverse proxies), riskier for attackers (short-lived infrastructure) and most profitable when aimed at high-value users (finance or execs), so attackers are picking their targets. However, AI will massively reduce the cost of operating MFA Phishing at scale.
AI can already mimic internal tone, formatting and workflows, and personalise lures at scale. That means MFA Phishing does not need to be “handcrafted” per target. Phishing-as-a-Service platforms already exist, but AI will be able to add auto-generated look-alike domains, AI-written login pages that clone real portals and rapid redeployment to evade detection. This will turn MFA Phishing into a volume business, not a bespoke attack. MFA Phishing volume businesses will be able to deploy thousands of highly plausible messages across multiple organisations at once, but each message will still feel targeted to the recipient.
Looking AheadMFA remains a critical control but it is no longer the Silver Bullet it once was. For cyber insurers, the rise of MFA Phishing marks a turning point: how do they move from broad, control-based underwriting to a more nuanced assessment of identity resilience.
The evolution will also present challenges for brokers, many of whom are still adjusting to understanding basic MFA deployment. Insurers will need to take a proactive role in educating brokers and insureds on the very real risks of MFA Phishing and the value of layered identity defences. Ongoing and upskilling will be critical for all to keep pace.
