Device Code – A live webinar on July 8, 2026 will dig into how phishing and BEC/ATO attacks can exploit trusted authentication flows—sometimes gaining persistent access even when users complete real logins and MFA—while urging defenders to automate detection with behavioral
For years, multi-factor authentication has been treated like a firewall: add the second step, stop the compromise. But in the newest wave of phishing, attackers aren’t always trying to steal passwords or “break” MFA at all.
On July 8. 2026. BleepingComputer will host a live webinar titled “Stop chasing alerts: Automating email security with behavioral AI.” The session will be presented by Dan Nickolaisen. Solutions Architect Manager at Abnormal AI. and Eric Danneker. Director of Cyber Vigilance and Defense at Novant Health.
The webinar’s starting point is blunt. Many organizations already rely on multi-factor authentication as one of their strongest defenses against account compromise. Yet attackers increasingly use phishing techniques that don’t require stealing passwords or bypassing MFA at all.
The focus will land on the authentication moments that users can’t help but perform. One technique receiving growing attention is Device Code phishing. where attackers trick users into authorizing access through legitimate Microsoft authentication pages. Users complete a real login and complete an MFA challenge—exactly the steps security teams ask for. After that, attackers can gain persistent access without ever stealing credentials.
That detail matters because it changes what “success” looks like for an attacker. The compromise isn’t necessarily triggered by missing MFA, or by a stolen password showing up somewhere. Instead, the attack rides on trust and on workflows that are designed to help legitimate logins happen quickly.
This shift creates a different kind of problem for defenders. Traditional email defenses, credential monitoring, and MFA protections may not detect these attacks. Analysts can end up investigating suspicious activity only after an account has already been compromised.
Abnormal AI’s role in the webinar is to address that gap. The session will explain how behavioral AI can identify unusual account activity. suspicious communications. and attack patterns that conventional security controls may miss. The promise is operational as much as technical: attendees will learn approaches for detecting account compromise earlier. reducing investigation workloads. and improving response times through automation and behavioral analysis.
The webinar also expands beyond Device Code phishing to show how modern phishing campaigns, business email compromise (BEC), and account takeover (ATO) attacks exploit trusted services and authentication workflows to gain access to corporate accounts.
Why MFA isn’t stopping every account takeover is the thread running through it all. Many phishing attacks still focus on stealing passwords, but increasingly attackers are targeting authentication workflows themselves. By abusing legitimate authorization processes. attackers can obtain access tokens that grant ongoing access to email. cloud applications. and corporate resources—often without tripping the traditional security signals defenders have trained themselves to watch.
In that scenario. SOC and incident response teams face operational strain: the work doesn’t just involve detecting a threat. it involves figuring out what happened after the fact. The webinar says it will cover the operational challenges these attacks create for SOC and incident response teams. and how behavioral AI can automate investigations before compromised accounts can snowball into larger security incidents.
The session will also outline practical approaches for reducing response times and limiting account takeover risks, with an emphasis on identifying these attacks sooner and automating detection and response activities before compromised accounts lead to bigger security incidents.
Registration is open for the live session, framed around a familiar pain point in cybersecurity operations: teams often find themselves “chasing alerts” rather than stopping the compromise earlier—especially when the attacker’s trick is to make the login steps look legitimate.
MFA bypass Device Code phishing phishing BEC ATO account takeover behavioral AI Abnormal AI Novant Health email security SOC automation