Who this is for: Security analysts who want to understand exact attack mechanics, and CISOs who need to know why their EDR gives them false confidence against this threat class. Every technique here has been observed in real-world intrusions no theoretical fluff.
Your user just completed MFA. They entered their authenticator code correctly. Microsoft accepted it. Your Conditional Access policy evaluated and passed. And the attacker sitting at a server in a different country just received a valid OAuth access token with 60-90 minutes of life, a refresh token valid for 90 days, and a path to your entire Microsoft 365 environment. No phishing page. No fake login form. No credential harvested. MFA was the mechanism the attacker used to authenticate on the victim's behalf. This is not a future threat. It has been actively exploited since at least mid-2024, and campaigns surged dramatically in late 2025.