MFA was for a long time the single most cost-effective security improvement an SMB could make. It still is. But the attack pattern has evolved. Adversary-in-the-middle (AiTM) toolkits like EvilProxy and Tycoon now sit between the user and the legitimate sign-in page, capturing both the credentials and the resulting session token after MFA completes. The attacker then replays the token to impersonate the user, MFA-be-damned.
The defence has to be deeper than MFA. Conditional Access policies that bind sessions to device compliance. Continuous Access Evaluation (CAE) that revokes sessions when risk events occur. Phishing-resistant authentication methods (FIDO2 keys, passkeys, Windows Hello for Business) that don't generate replay-able artefacts. Token-protection policies on the highest-risk identities.
This isn't a future problem. It's a 2025–26 commodity attack. The organisations not affected are the ones who already moved past password-plus-MFA as a primary defence.