#MFA

Security awareness tips, industry news, and product updates.

Business owner reviewing a cyber insurance application with security control documentation
Compliance & RegulationsFor MSPs & Partners

Cyber Insurance 2026: MFA and Training Requirements

In 2026, no MFA can mean no coverage, and underwriters now want documented awareness training and phishing simulations too. Here is what insurers look for and how to evidence it.

James Thornton·7/8/2026·7 min read
Employee logging into an account using a password manager on a laptop
Security Awareness Tips

Password Managers and Credential Hygiene at the Office

Reused passwords plus breached credentials are the fuel behind account takeover. Here is how to roll out password managers and build credential hygiene that actually holds across your organization.

Rachel Andersen·7/7/2026·7 min read
University students working on laptops on a busy campus
Security Awareness TipsThreat Intelligence

Education Under Siege: Lessons From the Canvas Breach

ShinyHunters' May 2026 breach of the Canvas LMS exposed data tied to thousands of schools and hundreds of millions of users. Here is why education is a prime target and how awareness training reduces the risk.

James Thornton·7/1/2026·6 min read
Security analysts monitoring threat dashboards in an operations center
Threat Intelligence

Ransomware in 2026: Data Extortion Is the New Normal

Qilin led ransomware activity in early 2026 as groups shift from encryption to pure data extortion. The constant across nearly every attack is the human layer. Here is what CISOs should do.

Marcus Chen·6/30/2026·6 min read
A web browser open on a laptop screen in a workplace setting
Threat Intelligence

Malicious Browser Extensions and Session Theft Risk

Compromised browser extensions are quietly stealing session cookies and tokens - and stolen sessions sail right past passwords and MFA. Here's why attackers are living in the browser, and how to govern extensions.

Rachel Andersen·6/29/2026·7 min read
Employee reviewing an application permission request on a laptop screen
Phishing & Social EngineeringThreat Intelligence

Consent Phishing: Malicious OAuth Apps That Bypass MFA

Consent phishing tricks users into approving a malicious OAuth app — granting attackers token-based access to mail and files without ever touching a password or triggering MFA. Here is how it works and how to shut it down.

Marcus Chen·6/23/2026·6 min read
IT help desk agent wearing a headset and assisting a caller
Phishing & Social EngineeringThreat Intelligence

Help Desk Social Engineering: Scattered Spider's Front Door

Scattered Spider doesn't hack your MFA — it calls your help desk and talks an agent into resetting it. Here's how help desk social engineering works and how to lock the door.

David Kowalski·6/16/2026·4 min read
Person signing in to a laptop with a fingerprint instead of a password
Security Awareness Tips

Passkeys: The Phishing-Resistant MFA Worth Adopting

Passwords and even push-based MFA keep falling to phishing. Passkeys close the door structurally because there is no shared secret to steal. Here is why they work and how to roll them out.

Natalie Hoffmann·6/10/2026·7 min read
Employee entering a login code on a laptop at an office desk
Phishing & Social EngineeringSecurity Awareness TipsThreat Intelligence

Kali365 Phishing Service Targets Microsoft 365 Accounts

The FBI is warning about Kali365, a phishing-as-a-service platform that hijacks Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass MFA. Here's how the attack works and how to defend your organization.

Marcus Chen·6/6/2026·9 min read
Security analyst reviewing a suspicious device login code on a laptop
Phishing & Social EngineeringSecurity Awareness TipsThreat Intelligence

Device Code Phishing Is Moving Into Criminal Toolkits

Device code phishing is spreading through criminal toolkits and phishing-as-a-service offerings. Here is how the Microsoft 365 attack works and what teams should do next.

Marcus Chen·5/15/2026·8 min read
Security team reviewing a suspicious compliance email on a laptop
Phishing & Social EngineeringSecurity Awareness TipsThreat Intelligence

Microsoft AiTM Phishing Alert: Lessons for US Teams

Microsoft is warning US organizations about a sophisticated code-of-conduct phishing campaign using PDFs, CAPTCHA gates, and AiTM token theft. Here is what security teams should watch for next.

Rachel Andersen·5/6/2026·7 min read
Marketing employee reviewing a social media account alert on a laptop
Phishing & Social EngineeringSecurity Awareness TipsThreat Intelligence

Facebook Phishing Through Google: What Teams Should Do

A new campaign abused Google AppSheet emails to steal Facebook business accounts at scale. Here is what your team should watch for and how empowsec helps build the right response habits.

Marcus Chen·5/5/2026·7 min read