For years, MFA was treated as a timing problem. Add enough friction, the thinking went, and attackers would be exposed before they could act. Real-time phishing relay attacks dismantle that assumption. They do not wait for friction. They route around it.

For decades, breach response centered on a single question: how did the malware get in? That question is no longer the right one. Recent advisories from CISA confirm what security leaders already see in their incident reports. A significant and growing share of breaches involve no malware at all. Attackers authenticate with legitimate credentials. They operate as trusted users. Detection tools built to catch malicious binaries see nothing — because the attacker is not behaving like malware. They are behaving like an employee.

According to recent reporting by The Register, the ShinyHunters group has been linked to a new breach involving CarGurus. The details are consistent with a pattern that security teams have been tracking for over a year. No exploit. No malware. No zero-day. The attacker authenticated. That distinction matters. It defines the entire problem — and the only category of solution that resolves it.

Microsoft, Europol, Trend Micro, and a global coalition just disrupted Tycoon 2FA — one of the most prolific phishing-as-a-service platforms ever documented. That is a meaningful outcome. It is not safety. Tycoon 2FA is offline. The attack model that made it successful is not.

What happened at Stryker today isn't a malware story. It's an identity story. And it's one the industry has seen before — the Sony hack, twelve years ago, followed a similar path. A dozen years later, the attack surface has changed. The fundamental failure hasn't.