All news with #mfa tag

🔒 The FBI warns of phishing campaigns using Kali365 to harvest Microsoft 365 OAuth access tokens and bypass multi-factor authentication. Attackers trick users into entering a code on a legitimate Microsoft page, which instead authorizes the attacker’s device to access the victim’s account. The FBI advises IT teams to deploy conditional access policies and block authentication transfer to reduce exposure.

🔐 Microsoft reports that a threat actor tracked as Storm-2949 is abusing Self-Service Password Reset (SSPR) and social engineering to steal Microsoft Entra ID credentials and bypass MFA for privileged users. The attackers trick targets into approving authentication prompts, reset passwords, remove MFA, and enroll Microsoft Authenticator on attacker devices. Using Microsoft Graph and custom scripts they enumerate tenants, exfiltrate files from OneDrive and SharePoint, and pivot into Azure to harvest secrets from Key Vaults, storage accounts, and SQL databases. Microsoft recommends least privilege, conditional access, phishing-resistant MFA for admins, limiting RBAC, and extended Key Vault logging to mitigate these attacks.

🔒 Bridewell's Cyber Threat Intelligence Report 2026 warns that attackers are abandoning traditional malware for browser- and identity-focused techniques such as ClickFix, FileFix and ConsentFix that trick users into approving commands or authentication prompts. These tactics bypass endpoint controls and MFA because they operate within trusted workflows and are harder to detect. The firm urges stronger identity protection, user awareness and threat-informed defence.

🚨 The Australian Cyber Security Centre (ACSC) has warned of a widespread campaign using compromised WordPress sites and the ClickFix social‑engineering technique to deliver the Vidar Stealer infostealer to Windows systems. Attackers lure victims with fake CAPTCHA prompts that trick users into executing malicious commands, enabling in‑memory persistence and evasion. The ACSC advises restricting unauthorised execution, keeping WordPress and OS components patched, limiting clipboard write access, and enforcing phishing‑resistant MFA.

🔐 Microsoft marks World Passkey Day by outlining steps to accelerate passkey adoption and reduce reliance on passwords and phishable methods. The company highlights work with the FIDO Alliance, expanded Microsoft Entra passkey support, Windows Hello device‑bound keys, and syncing through Microsoft Password Manager. It also strengthens account recovery with verified ID and biometric checks and plans to remove security questions in Entra ID by January 2027. Organizations are urged to enable passkeys and apply policies across sign‑in and recovery.

🔐 Google outlines five practical tools to make Google Account sign‑ins simpler and more secure on World Password Day 2026. Highlights include Passkeys (device-based sign-in using fingerprint, face, or PIN), recommended pairing with 2-Step Verification, and the ability to add up to 10 Recovery Contacts for account recovery. The post also promotes Sign in with Google to reduce password proliferation and Google Password Manager to create, save, sync, and autofill strong passwords and passkeys.

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.

🔒 Multi-factor authentication reduces credential risk but does not stop many business email compromise (BEC) attacks, because adversaries target human decision points and process gaps rather than accounts. High-profile cases — Toyota Boshoku (2019, ≈$30M) and Arup (2024, ≈$25M) — show attackers using cloned messages and deepfakes without stealing credentials. Organizations should redesign approval workflows, require out-of-band verification for high-risk requests, run realistic BEC simulations, embed micro-learning, introduce purposeful friction and assign clear ownership of payment verification to close operational blind spots.

🔐 In 2025 attackers increased focus on weaknesses in multi-factor authentication (MFA) and the trust inherent in everyday workflows, with phishing used for initial access in 40% of incidents. Cascaded phishing leveraged compromised, legitimate accounts to craft highly convincing lures, while abuse of Microsoft 365 Direct Send enabled internal-looking spoofed messages. MFA spray attacks and device compromise—driven by voice phishing against administrators—targeted IAM tools and high-turnover device ecosystems, with higher education notably impacted. Defenders should harden device management, enforce strong lockout and conditional access policies, and adopt email protections such as Reject Direct Send and tightened SPF/DMARC.

🔔 As data breach notices become common, fraudsters increasingly send fake alerts or piggyback on real incidents to trick recipients into clicking malicious links or divulging credentials. These scams often demand immediate action, use spoofed sender addresses, and lack personal account details. Verify any notice by logging into the real account or contacting the organization through trusted channels, and reduce exposure with a password manager and MFA.

🔐 This sponsored article from Specops Software explains five practical ways Zero Trust reduces identity-related risk by centering access controls on verified identities and device posture. It emphasizes least privilege, continuous context-aware authentication tied to device health, and strict segmentation to limit lateral movement. The piece spotlights Specops Device Trust as an example of binding identity to compliant devices and recommends prioritizing phishing-resistant MFA and device checks when starting a Zero Trust rollout.

🔒 This article explains privacy and security risks associated with smart sex‑toy apps and companion services, focusing on realistic threats such as data collection, account compromise, and server-side access rather than rare remote device takeovers. It outlines practical mitigations — create anonymous accounts, avoid social logins, limit app permissions, use a strong unique password with two‑factor authentication, and keep software updated. The guidance emphasizes minimizing shared personal data and avoiding identifiable media to reduce risks like stalking, blackmail, and targeted profiling.

🔒 The Figure breach exposed 967,200 email records without a single exploit, creating a large inventory adversaries can immediately weaponize for credential stuffing, AI-driven phishing, and help-desk social engineering. The article argues these exposures are operational inputs, not static data, and that common MFA methods — push notifications, SMS, and TOTP — are vulnerable to real-time relay (AiTM) attacks and MFA fatigue. Fixing the problem is architectural, not purely educational: effective defence requires cryptographic origin binding, hardware-bound private keys, and live biometric verification simultaneously.

🔒 Kaspersky highlights that security management consoles themselves expand an organization’s attack surface and therefore must be hardened. Kaspersky Security Center Linux 16.1 adopts a secure-by-default model by enabling two-factor authentication for all console access and removing the global option to disable it. Administrators are required to ensure 2FA is configured for users who access the Web Console or use OpenAPI automation before upgrading. Kaspersky also publishes a structured hardening checklist to audit roles and privileges, restrict network access, strengthen encryption, protect APIs, and ensure comprehensive logging and auditing.

🔒 This article outlines five practical steps to harden identity security across human, machine, and workload identities and to build attack resilience through least privilege and continuous validation. It recommends prioritizing MFA for high‑privilege accounts, deploying PAM to control administrative access, inventorying all identity types, and establishing real‑time behavior validation. The guidance emphasizes quick wins—enforce MFA for privileged users immediately and expand to all users within 30 days—to reduce credential‑based breaches and limit lateral movement.

🔒 This piece presents eight practical, low-cost measures CISOs and security teams can deploy to materially improve enterprise protection. Recommendations emphasize better enforcement of MFA, fuller use of existing tool capabilities, regular tabletop exercises, and adoption of passkeys for high-risk users. The focus is on disciplined execution, configuration, and human risk management rather than large new purchases.

🔐 The SentinelOne Annual Threat Report for 2026 warns that attackers are executing identity-based compromises at industrial scale, abusing legitimate enterprise accounts and identity systems. These intrusions often bypass or subvert MFA — including through readily available MFA-bypass kits and coercive push attacks — leaving traditional defenses blind. The report also highlights fake-persona recruitment campaigns, including deepfake-enabled interviews, and warns of administrative account takeovers that can disable MFA organization-wide.

🔒 This concise guide explains fast, practical steps to recover a compromised online account and limit attacker control. It recommends a prioritized, timed response—contain the incident, secure access, and check for persistent compromises—emphasizing actions like change passwords, remove unauthorized forwarding, enable two-factor authentication, and revoke sessions from a known-clean device. The piece also covers device cleanup, notifying contacts and banks, and long-term protections such as password managers, authenticator apps, hardware keys and regular software updates.

🧛 Cisco Talos highlights a growing trend in 2025: attackers increasingly seek to be authorised as legitimate users rather than relying solely on loud exploits. Telemetry shows nearly a third of MFA spray attacks targeted IAM applications and fraudulent device registrations surged 178%, indicating adversaries focus on the mechanisms that grant access. Talos urges organisations to harden authentication, prioritise patching, manage EOS/EOL devices, and adopt phishing-resistant controls as part of a broader defensive posture.

🔐 Modern phishing now uses adversary-in-the-middle proxies that capture entire authentication flows, including MFA prompts and session cookies. Employees can complete legitimate logins and still be compromised because attackers replay session tokens from a different machine. Organizations must move beyond traditional MFA and outdated awareness training and instead deploy phishing-resistant authentication, bind sessions to managed devices, and monitor post-authentication behavior.