Attackers Stopped Cracking Your Password. Google Says They Steal Your Login Session Instead.

The login page was real. The attacker was sitting in the middle of it.

Google's Trust and Safety team published its latest fraud and scams advisory on June 8, 2026. The first section reads like a quiet obituary for a control that most organizations spent the past decade rolling out. Multi-factor authentication (MFA, the second login step such as a code from your phone or an authenticator app) no longer stops a large and growing class of phishing attack. The technique behind that shift is called Adversary-in-the-Middle, and once you see how it works, the advice you have been giving your staff starts to look incomplete.

The advisory opens with the scale of the problem. Global fraud losses reached nearly 580 billion dollars in 2025, according to the NASDAQ Verafin Global Financial Crime Report, and roughly one in five adults reported falling for a scam. The figure that should change how you think is not the total. It is that the password, the thing nearly every phishing defense was built to protect, is no longer what the more capable attackers are chasing.

What the advisory describes

The advisory, written by Google Vice President of Trust and Safety Laurie Richardson, lays out the mechanism plainly. In a classic phishing attack, a fake page captures your password and the attacker logs in later. MFA defeats that, because the attacker hits the second-factor wall and has no code. Adversary-in-the-Middle removes the wall. The attacker stands up a proxy, a relay server that sits between you and the genuine login page. You enter your password, the proxy forwards it to the real site, the real site asks for your MFA code, the proxy forwards that too, and you log in normally. Nothing looks wrong because nothing is fake. But when the website hands back a session cookie, the small token your browser stores so it does not make you log in again on every click, the proxy quietly copies it. With that cookie the attacker is already inside, authenticated as you, with no password left to crack and no second factor left to ask for.

• Quishing, or QR-code phishing, hides the malicious link inside a QR code image. Email scanners cannot read it as a link, and scanning it pushes the victim onto a personal phone, off the organization's managed device.
• Even after the takedown of major Phishing-as-a-Service kits, the turnkey phishing toolkits that criminals rent to one another, such as Tycoon 2FA flagged by Barracuda in April 2026, Google reports that phishing volumes stayed high.
• Among the lures Google investigated were fake subscription-renewal notices injected straight into Google Calendar invites, malicious instructions hidden on invisible pages inside cloud documents to slip past web filters, and ClickFix fake browser-update prompts seeding malware.

Why it matters

A stolen session cookie behaves like a skeleton key. It does not expire when the victim changes their password, and it carries none of the friction MFA was supposed to add. The uncomfortable part for your organization is who this catches. Anyone trained to believe that a code from their authenticator app means a login is safe has effectively been trained to walk into this. Picture your finance staff approving a calendar renewal notice, your help desk resetting an account under pressure, or an executive reading mail on a phone where a QR code looks harmless. The systemic shift, and the reason to raise this at your next architecture review, is that phishing has become an industry. Dismantling one kit did not move the numbers, because the lures are now generated and personalized at machine speed while the relay infrastructure is rented by the week. The contest has moved from your password to your session, and most defenses are still posted at the password.

What to do about it

1. Move high-value accounts to phishing-resistant MFA. Replace app codes and SMS with passkeys or hardware security keys built on the FIDO standard, because they are cryptographically tied to the real website and will not authenticate to an attacker's proxy, which breaks Adversary-in-the-Middle at the root. See CISA's phishing-resistant MFA guidance.
2. Bind sessions to the device and shorten their life. Adopt session-binding controls, which Google ships as Device Bound Session Credentials, and cut session lifetimes for sensitive apps, because a cookie that only works on the machine it was issued to is worthless the moment it is copied.
3. Give staff one plain rule about QR codes. A QR code in an unexpected email is a warning sign, and a real service is reached by typing its address yourself, because quishing depends entirely on a victim treating a scannable image as safer than a link and moving to a device you do not control.

Bottom line

The advisory's first section is easy to skim past, because it does not announce a breach or a record loss. What it announces is quieter and more consequential. The second factor you deployed to stop account takeover is no longer sufficient by itself, and attackers have moved one step downstream to the session it protects. Passkeys and device-bound sessions close that step. Carry one question into your next security review. If an attacker captured one of your employees' live sessions tomorrow, would anything you have deployed actually stop them, or have you been guarding a door they stopped using?