< ciso
brief />
Tag Banner

All news with #mfa tag

122 articles

SMB Cyber Readiness: Prioritize the Fundamentals

🔒 AI is reshaping attacker toolkits, but familiar failures—phishing, unpatched vulnerabilities, poor monitoring and weak passwords—remain the primary causes of incidents for SMBs. ESET telemetry and research show AI mainly amplifies these risks rather than replacing them with pervasive, real-time AI malware. Practical mitigations like patch management, identity protection, MFA, password managers and MDR services remain the most effective ways to improve readiness and resilience.
read more →

NCSC guidance to frustrate penetration testers

🔒 The NCSC asked pen testers what makes their work harder and published recommendations to boost organisational resilience. Responses emphasise secure-by-design practices—like threat modelling, phishing-resistant MFA, avoiding hard-coded credentials, and early input validation—alongside network segmentation and strong OT/IT separation. The guidance also highlights the critical role of quality logging, monitoring and exercised incident response to detect and respond to intrusions.
read more →

Why attackers target your email inbox aggressively

📧 Email accounts act as hubs for identity verification, password resets and long-term records, making them prime targets for cybercriminals. Attackers use phishing, account takeover, forwarding rules and abused tokens to maintain access, intercept codes and harvest sensitive information. Corporate inbox breaches can lead to data theft, ransomware or expensive fraud, while sophisticated tools like GenAI increase phishing success rates. Regularly review security settings, use MFA or passkeys, and remain vigilant to reduce risk.
read more →

CMC analysis of Canvas incident impacts education

🔍 The UK Cyber Monitoring Centre (CMC) has published its review of the Canvas incident affecting Instructure’s Learning Management System, finding ~160 UK higher education institutions impacted and around 9,000 worldwide. The analysis highlights that financial losses arose mainly from response, recovery and risk management rather than prolonged outage. The CMC reinforced best-practice recommendations for the sector, including MFA enforcement, separation of application and data layers, careful third‑party control and clearer vendor communication.
read more →

Cybersecurity’s Shift From Protection to Survival

🔒 The piece argues that cybersecurity must move beyond a prevention-first mindset to a survival-focused discipline. It stresses that while traditional controls (MFA, patching, hardening) remain necessary, organizations need breach readiness: continuity, recoverability, tested incident response, and clear governance. Regulatory and market pressures (EU resilience laws, US disclosure and accountability) plus AI-driven acceleration make resilience an operational imperative.
read more →

CISA Urges Fortinet Users to Secure Devices Now

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Fortinet customers to secure devices after nearly 74,000 firewall and VPN credentials were exposed in a leak dubbed "FortiBleed." The agency advised terminating SSL VPN and admin sessions, resetting passwords, enabling phishing-resistant multifactor authentication, and reviewing logs for signs of unauthorized access. CISA also recommended using PBKDF2 for admin credential storage and restricting management interfaces from the public internet.
read more →

Human behavior shapes cybersecurity outcomes

🛰️ Cisco Talos' Threat Source newsletter reflects on how human behavior, context, and competing priorities often override rational security decisions. The piece links a Spielberg film theme to cybersecurity, noting that knowledge alone doesn't ensure action — organizations struggle with budgets, workloads, and urgency. Talos highlights practical controls like segmentation, backups, and MFA, and showcases a new reverse-engineering method that pairs local AI agents with tools like vbdec to accelerate analysis while protecting sensitive binaries.
read more →

JLR CISO Ordered In-Person Password Resets

🔒 At Infosecurity Europe, Ashish Shrestha, then group CISO of Jaguar Land Rover, recounted the September 2025 cyber-attack response that required over 30,000 staff to reset passwords on site. He said the in-person resets ensured trusted identities for communications after the incident and validated Microsoft 365 integrity. The firm also reset MFA and validated users’ identities physically to mitigate risks of remote account takeover.
read more →

Protecting children's data to prevent long-term identity harm

🔒 Children face lasting identity and privacy risks online from school accounts, gaming profiles, apps and devices. These data can be exploited for fraud or synthetic identity creation, often remaining undetected for years. Parents, schools and vendors all share responsibility; practical steps include data minimization, strong passwords, MFA, privacy settings, parental controls and credit freezes.
read more →

AI Support Bot Exploit Lets Attackers Hijack Instagram

🔒 A wave of account takeovers targeted high-profile Instagram profiles after attackers shared instructions for tricking Meta’s AI support assistant into relinking accounts to attacker-controlled email addresses. The technique, circulated on Telegram on May 31, reportedly involved using a VPN to appear from the target’s locale, initiating a password reset, and persuading the AI bot to add a new email. Meta acknowledged a brief compromise of a dormant Obama White House account and pushed an emergency patch while asserting no backend database was breached. Experts warn AI-driven support flows introduce new attack surface and recommend strong MFA such as passkeys or security keys to mitigate risk.
read more →

Microsoft resolves outage impacting MFA setup access

🔧 Microsoft confirmed and mitigated an incident that prevented some users from setting up multi-factor authentication and accessing the My Sign-Ins site, where affected users encountered 504 Gateway Timeout errors. The company failed over to alternate infrastructure and monitored telemetry while evaluating further mitigations. Microsoft later restored the service, attributing the outage to a cache configuration change that caused high CPU and memory load during an EU traffic peak.
read more →

AWS Backup adds OTP for multi‑party approvals

🔒 AWS Backup now requires one‑time password (OTP) verification when approvers vote on Multi‑party approval actions for logically air‑gapped vaults. Approvers must enter a six‑digit code sent to their registered email in AWS IAM Identity Center, ensuring only verified approvers can authorize protected vault operations. OTP verification is applied automatically to all existing and new Multi‑party approval sessions in supported Regions at no additional charge, with no setup required.
read more →

FBI warns of Kali365 phishing kit bypassing MFA

🔒 The FBI has alerted organisations to Kali365, a phishing-as-a-service platform that can hijack Microsoft 365 accounts without stealing passwords and can bypass multi-factor authentication. Launched in April 2026 and sold via Telegram, Kali365 offers AI-generated lures, automated templates, dashboards, and OAuth token capture for as little as $250 monthly. The kit exploits Microsoft’s device code flow, tricking victims into authorising attacker devices on legitimate Microsoft pages, granting access to Outlook, Teams, and OneDrive. The FBI recommends blocking device code flow with a conditional access policy in Microsoft Entra ID and deploying phishing-resistant MFA such as hardware security keys.
read more →

Experts warn MFA alone won’t stop token phishing

🔐 Security researchers and agencies are warning that phishing campaigns are increasingly targeting Microsoft 365 OAuth device codes and access tokens to bypass multifactor authentication. New commercial services like Kali365 and older kits such as EvilTokens automate token capture, AI‑generated lures, and large-scale campaign management. The FBI and vendors urge admins to restrict device code flows, apply conditional access, monitor token misuse, and adopt identity‑centric controls beyond MFA.
read more →

FBI alert: Kali365 OAuth phishing risks rise

🔒 The FBI warns of phishing campaigns using Kali365 to harvest Microsoft 365 OAuth access tokens and bypass multi-factor authentication. Attackers trick users into entering a code on a legitimate Microsoft page, which instead authorizes the attacker’s device to access the victim’s account. The FBI advises IT teams to deploy conditional access policies and block authentication transfer to reduce exposure.
read more →

Storm-2949 Abuses SSPR and MFA to Exfiltrate Azure Data

🔐 Microsoft reports that a threat actor tracked as Storm-2949 is abusing Self-Service Password Reset (SSPR) and social engineering to steal Microsoft Entra ID credentials and bypass MFA for privileged users. The attackers trick targets into approving authentication prompts, reset passwords, remove MFA, and enroll Microsoft Authenticator on attacker devices. Using Microsoft Graph and custom scripts they enumerate tenants, exfiltrate files from OneDrive and SharePoint, and pivot into Azure to harvest secrets from Key Vaults, storage accounts, and SQL databases. Microsoft recommends least privilege, conditional access, phishing-resistant MFA for admins, limiting RBAC, and extended Key Vault logging to mitigate these attacks.
read more →

Attackers Bypass Security Tools via Browser and Identity

🔒 Bridewell's Cyber Threat Intelligence Report 2026 warns that attackers are abandoning traditional malware for browser- and identity-focused techniques such as ClickFix, FileFix and ConsentFix that trick users into approving commands or authentication prompts. These tactics bypass endpoint controls and MFA because they operate within trusted workflows and are harder to detect. The firm urges stronger identity protection, user awareness and threat-informed defence.
read more →

ACSC Alerts on ClickFix Campaign Delivering Vidar Stealer

🚨 The Australian Cyber Security Centre (ACSC) has warned of a widespread campaign using compromised WordPress sites and the ClickFix social‑engineering technique to deliver the Vidar Stealer infostealer to Windows systems. Attackers lure victims with fake CAPTCHA prompts that trick users into executing malicious commands, enabling in‑memory persistence and evasion. The ACSC advises restricting unauthorised execution, keeping WordPress and OS components patched, limiting clipboard write access, and enforcing phishing‑resistant MFA.
read more →

World Passkey Day: Microsoft Pushes Passwordless Future

🔐 Microsoft marks World Passkey Day by outlining steps to accelerate passkey adoption and reduce reliance on passwords and phishable methods. The company highlights work with the FIDO Alliance, expanded Microsoft Entra passkey support, Windows Hello device‑bound keys, and syncing through Microsoft Password Manager. It also strengthens account recovery with verified ID and biometric checks and plans to remove security questions in Entra ID by January 2027. Organizations are urged to enable passkeys and apply policies across sign‑in and recovery.
read more →

Five Google Tools to Strengthen Account Sign‑In Security

🔐 Google outlines five practical tools to make Google Account sign‑ins simpler and more secure on World Password Day 2026. Highlights include Passkeys (device-based sign-in using fingerprint, face, or PIN), recommended pairing with 2-Step Verification, and the ability to add up to 10 Recovery Contacts for account recovery. The post also promotes Sign in with Google to reduce password proliferation and Google Password Manager to create, save, sync, and autofill strong passwords and passkeys.
read more →