When 2FA Isn’t Enough: A Real-World Wake-Up Call

The Incident That Changed Everything

Earlier this year, one of our clients experienced what every business dreads.

Despite having multi-factor authentication (2FA) enabled across their environment, an attacker successfully gained access to a user account.

Within minutes, suspicious activity was detected. Our monitoring systems flagged it immediately.
Access was blocked. The account was isolated. An investigation began.

At first glance, the incident didn’t make sense.

• There was no password breach

• No MFA prompt had been approved

• No obvious vulnerability had been exploited

So how did the attacker get in?

The Answer: A Stolen Session Token

The investigation revealed a sophisticated — and increasingly common — attack method.

The user had fallen victim to a phishing email convincing enough to capture their active session token. With that token, the attacker didn’t need to log in, didn’t need the password, and didn’t need to trigger MFA.

To the system, the attacker was already authenticated.

This wasn’t a failure of 2FA.
It was a reminder of its limits.

Why 2FA Alone Is No Longer Enough

Multi-factor authentication is essential — but it is only one layer of security.

Modern attacks don’t always try to break in through the front door. Instead, they often:

• Trick users into handing over access

• Reuse valid sessions

• Bypass authentication entirely

• Exploit trust rather than technology

This is why modern security strategies must go beyond passwords and codes.

What Would Have Reduced the Risk?

This incident reinforced a message we share with all our clients:

Cybersecurity is a combination of technology, policy, and people.

The controls that make the real difference include:

🧠 User Awareness & Training

Well-trained users are far less likely to fall for phishing attempts — especially modern attacks that don’t “look” malicious.

🔐 Conditional Access Policies

Context-aware rules that assess factors such as device health, location, risk level, and behaviour can prevent session hijacking from becoming a full account compromise.

🛡️ Advanced Email & Phishing Protection

Blocking malicious emails before they ever reach the inbox dramatically reduces exposure.

Why We Partner with Proofpoint

To address these risks properly, we work with industry-leading platforms — and Proofpoint plays a key role in that strategy.

Proofpoint helps protect businesses by:

• Stopping phishing and malicious emails before users see them

• Identifying risky user behaviour

• Providing ongoing security awareness training

• Running simulated phishing campaigns to reinforce learning

• Reducing the human attack surface — not just the technical one

It’s not about blaming users.
It’s about empowering them.

The Outcome

Because access was blocked quickly and controls were already in place, the incident was contained before any data loss or wider impact occurred.

But the lesson was clear:

Security isn’t a checkbox. It’s a continuous process.

Following the incident, we worked with the client to strengthen user training, improve access controls, and enhance email security — turning a near-miss into a long-term improvement.

Our Takeaway for Spring 2026 🌱

If your security strategy starts and ends with 2FA, it’s time to take the next step.

The most effective protection today combines:

• Strong authentication

• Smart, contextual access policies

• Ongoing user education

• Advanced phishing and email defence

That’s how organisations stay ahead — not just compliant.

Want to Review Your Own Setup?

If you’d like to review your current security posture, assess phishing risk, or learn more about how modern email security platforms fit into today’s threat landscape, we’re always happy to talk.

Abbey Support Ltd