For a decade, the security advice has been simple and correct: turn on multi-factor authentication. It works. It stopped a generation of password-spray and credential-stuffing attacks cold.

So the criminal economy did what it always does. It stopped attacking the part you fixed.

The fastest-growing identity attacks in 2026 do not try to beat your MFA. They wait until you have already passed it, then steal the result. The attacker does not need your password or your one-time code. They need the small piece of data your browser holds after you log in, the session cookie that says “this person already proved who they are.” Steal that, replay it, and you are inside, with MFA showing a clean bill of health the whole time.

The Shift: From Stealing Credentials to Stealing Sessions

When you authenticate to a web application, the server does not ask for your password on every click. It issues a session token, usually stored as a browser cookie, that stands in for the full login for hours or days. That token is a bearer token: whoever holds it is treated as you, no questions asked.

This is the soft spot. Two well-documented techniques target it directly:

  • Infostealer malware. A user runs a malicious installer, a cracked application, a fake browser update, or a poisoned search result. The payload, a commodity infostealer, sweeps the machine for browser cookie databases, saved passwords, crypto wallets, and authentication tokens, then exfiltrates them in seconds. Established families such as LummaC2, RedLine, and Vidar built this market. According to BleepingComputer’s reporting on the REMUS infostealer, newer entrants are being sold as a managed service with rapid feature iteration, lowering the skill required to run these campaigns.
  • Adversary-in-the-middle (AiTM) phishing. The victim clicks a phishing link and lands on a reverse-proxy page that sits between them and the real login portal. The user sees the genuine site, enters credentials, and completes the MFA prompt. The proxy passes it all through to the real service and quietly captures the session cookie that comes back. Phishing-as-a-service kits have made this turnkey; Microsoft and other vendors have publicly tracked AiTM kits behind large-scale business email compromise campaigns.

Both paths end in the same place: the attacker holds a valid, already-authenticated session. No password reset alert. No failed-login spike. No second MFA prompt, because the token was minted after MFA succeeded.

This maps to known adversary behavior in the MITRE ATT&CK framework, specifically Steal Web Session Cookie (T1539), Steal Application Access Token (T1528), and Forge Web Credentials (T1606). These are not novel research ideas. They are catalogued, observed, in-the-wild techniques.

Why This Should Worry Non-Technical Leaders

It is tempting to file this under “an IT problem.” It is not. It is a business-risk problem, for three reasons.

It defeats the control you told the board you bought. Most organizations have communicated, internally and to customers or regulators, that MFA protects their accounts. Session theft does not break that statement so much as route around it. If your risk register treats “MFA is enabled” as the mitigation for account takeover, the register is now optimistic.

It targets the accounts that matter most. Infostealers do not care whose laptop they land on, but the operators triaging the stolen data do. A finance controller’s session into the payments portal, an executive’s email session, an IT administrator’s session into the identity provider: these are sold and reused first. Business email compromise built on a hijacked, already-trusted mailbox is far harder for staff and partners to spot than a spoofed lookalike domain.

It is being industrialized. The reason this is a 2026 story and not a 2021 footnote is the supply chain behind it. Stolen credentials and session data flow into automated marketplaces. Initial-access brokers buy in bulk and resell to ransomware affiliates. The gap between “an employee ran a bad installer at home” and “a ransomware crew has a valid session into your environment” is now measured in hours, not months.

What to Do This Week

None of the following requires new budget or a new product. All of it reduces exposure to the specific techniques above. The goal is not perfection; it is to stop being the account that gets reused before lunch.

Shorten the Window

  • Reduce session and refresh-token lifetimes on your most sensitive applications: email, the identity provider itself, finance and payment systems, and administrative consoles. A stolen token that expires in hours is far less valuable than one good for two weeks.
  • Require reauthentication for high-risk actions: changing MFA methods, adding mail-forwarding rules, modifying payment details, or creating new privileged accounts. A replayed session should not be enough to move money or rewrite the rules of the mailbox.

Bind the Session to Something the Attacker Does Not Have

  • Turn on the conditional-access and continuous-evaluation features you most likely already own. In Microsoft Entra ID, Google Workspace, Okta, and comparable platforms, policies that re-check device compliance, location, and risk signals mid-session can invalidate a token that suddenly appears from an unmanaged device or an implausible location. Microsoft’s documented Continuous Access Evaluation is one example of this category of control.
  • Where your identity provider supports phishing-resistant authentication (FIDO2 security keys or passkeys) and token-protection or device-binding features, prioritize them for administrators and finance staff first. These raise the cost of both AiTM proxying and raw token replay. Treat this as a phased rollout, not a same-day switch.

Find the Infections Feeding the Pipeline

  • Treat infostealer detection as a named priority for whatever endpoint protection you already run. The early signal is often a single user’s machine briefly contacting an unfamiliar host and reading the browser profile directory. Make sure that telemetry is on and reviewed.
  • Watch the identity provider sign-in logs for the tell of session replay: the same account active from two distant locations or device types within a short window, sign-ins with valid session state but no corresponding interactive MFA event, and new mailbox rules or OAuth app grants shortly after an unusual sign-in.
  • Constrain personal and unmanaged devices. A large share of infostealer infections originate on home machines where work accounts are also signed in. Conditional access that distinguishes managed from unmanaged devices is one of the highest-leverage controls available here.

Plan the Response Before You Need It

  • Write down, in advance, how you revoke sessions. For your top five applications, know exactly how to force a global sign-out and rotate tokens for one user and for everyone. Practice it once. Account takeover response that starts with “how do we kill all sessions” wastes the hour that matters most.
  • Brief your finance and executive-support staff. The realistic attack is not a clumsy spoof. It is a real, internal, already-trusted mailbox asking for a routine change. Reinforce out-of-band verification, a voice call to a known number, for any payment or vendor-detail change, regardless of how legitimate the request looks.

The Honest Framing

MFA is still essential. Nothing here is an argument to turn it off, and an organization without MFA has bigger and more urgent problems than session theft. The point is narrower and important: MFA is a control against credential abuse, and attackers have moved one step downstream of it.

The organizations that handle this period well will not be the ones that bought a new acronym. They will be the ones that treated the session, not just the login, as something worth protecting: shorter lifetimes, device-aware policies they already pay for, real attention to the endpoints feeding the criminal supply chain, and a rehearsed way to pull the plug.

You proved who you were at the door. The work now is making sure that proof cannot be picked up off the floor and reused.

What Secure Roots Is Doing

We are working with clients to run a focused identity-resilience review: an inventory of session and token lifetimes on the systems that would hurt most, a gap analysis of existing conditional-access and continuous-evaluation policies (using capabilities the client already licenses), a check that infostealer-relevant endpoint telemetry is enabled and monitored, and a short tabletop on session-revocation response. It is designed to fit in days, not quarters, and to use controls you already own before recommending anything new.

If you want a clear-eyed read on how exposed your most sensitive accounts are to session theft, we can help.

Contact Secure Roots

References

  • BleepingComputer, “Inside the REMUS infostealer: session theft, MaaS, and rapid evolution,” May 2026 (industry reporting on the infostealer-as-a-service market and session theft).
  • MITRE ATT&CK: Steal Web Session Cookie (T1539), Steal Application Access Token (T1528), Forge Web Credentials (T1606), Modify Authentication Process (T1556). attack.mitre.org
  • Microsoft, Continuous Access Evaluation and Conditional Access documentation, learn.microsoft.com (continuous session re-evaluation as a category of control).
  • CISA guidance on phishing-resistant multi-factor authentication, cisa.gov (FIDO2 and passkeys for high-value accounts).
  • General industry reporting on adversary-in-the-middle phishing-as-a-service kits and infostealer families (LummaC2, RedLine, Vidar) as the established market preceding newer entrants.