All news with #mfa fatigue tag

🔐 Dashlane disclosed a brute-force attack on May 31, 2026, targeting certain personal accounts to bypass two-factor authentication and register new devices. Its security controls triggered temporary suspensions and authentication issues, and although access has been restored, attackers succeeded in downloading encrypted vaults for fewer than 20 personal-plan users. Dashlane stressed that vault contents remain protected by each user's Master Password and that its internal systems were unaffected.

🔒 The FBI warns about the Kali365 phishing-as-a-service platform that abuses OAuth device code authentication to hijack Microsoft 365 and Microsoft Entra accounts. Distributed via Telegram since April 2026, Kali365 enables low-skilled attackers to bypass MFA by tricking victims into authorizing device codes, then capturing OAuth tokens to access mailboxes and cloud apps. Researchers observed campaigns using phishing emails, AI-generated lures, and real-time dashboards, while the FBI advises blocking device code flows and preserving forensic evidence.

🛡️ The FBI has identified a new phishing-as-a-service platform called Kali365, first seen in April 2026, that is being distributed primarily via Telegram. The service furnishes AI-generated lures, automated templates and real-time tracking dashboards to enable attackers — including low-skill actors — to capture OAuth tokens and bypass MFA for Microsoft 365 accounts. Victims are tricked into pasting device codes into the legitimate Microsoft verification page, unintentionally authorizing attacker devices and granting persistent access to services such as Outlook, Teams and OneDrive. The FBI recommends restricting or blocking device code flow, implementing conditional access policies, blocking authentication transfer and protecting emergency access accounts.

🔐 Microsoft Threat Intelligence details how Storm-2949 converted targeted identity compromise into a broad cloud breach, exfiltrating data from Microsoft 365 and production workloads in Azure. The actor abused SSPR-based social engineering to bypass MFA, performed directory discovery via Graph API, and leveraged management-plane operations to retrieve Key Vault secrets and download large volumes of data. Organizations should adopt behavior-based detections such as Microsoft Defender and tighten RBAC and administrative controls to detect and mitigate similar identity-driven cloud attacks.

🔐 Google Threat Intelligence Group (GTIG) details UNC6671, operating as "BlackFile," which uses large-scale voice phishing (vishing) and adversary-in-the-middle techniques to bypass MFA and compromise SSO access. The group targets Microsoft 365 and Okta, leveraging Python and PowerShell scripts to automate exfiltration and repurpose valid session cookies to "stream" files. GTIG highlights detection indicators such as python-requests User-Agent mismatches, nonstandard IP infrastructure, and subdomain-based credential-harvesting sites to aid defenders.

🔒 Researchers at Sublime Security reported that the FlowerStorm phishing-as-a-service campaign has begun using KrakVM, an open-source browser-based JavaScript virtual machine, to conceal credential-stealing code inside HTML attachments. When victims open the attachments in a browser, encrypted bytecode is executed by the VM and launches a dynamic credential- and MFA-harvesting workflow. The kit supports real-time AiTM interception and adapts phishing pages to the victim’s provider and branding, complicating static analysis and many email defenses.

🔐 Rapid7 attributes a deception-driven intrusion to the Iranian-affiliated actor MuddyWater, which used Microsoft Teams social engineering to harvest credentials and manipulate MFA via live screen-sharing. Once inside, operators leveraged compromised accounts, remote-access tools like DWAgent and AnyDesk, and a trojanized WebView2 binary to maintain persistence and exfiltrate data rather than encrypt files. The campaign appears to have intentionally mimicked RaaS artefacts — including Chaos-related extortion indicators and a signed loader — to obscure state-backed motives and slow incident response.

🔒 Microsoft disclosed a large-scale credential-theft phishing campaign that ran April 14–16, 2026, targeting over 35,000 users at more than 13,000 organizations across 26 countries. Attackers used polished, code-of-conduct-themed HTML lures, legitimate email delivery services and PDF attachments to funnel victims through CAPTCHA-gated pages into AiTM sign-in flows that harvested credentials and tokens, bypassing MFA. Most targets were in the U.S., with heavy impacts on healthcare, finance, professional services, and technology. Microsoft linked many endpoints to Tycoon 2FA, with additional activity tied to Kratos and EvilTokens.

📞 Unit 42 and RH-ISAC report BlackFile has targeted retail and hospitality since Feb 2026, linking activity to CL-CRI-1116 and overlaps with UNC6671/Cordial Spider. The group uses vishing—impersonating IT helpdesks with spoofed VoIP—and phishing pages that mimic corporate SSO, plus antidetect browsers and residential proxies to harvest credentials and OTPs. After access they register devices to bypass MFA, escalate privileges, and exfiltrate data via Salesforce and SharePoint APIs. Recommendations include caller identity checks, strict escalation for IT support, and simulation-based phone-security training.

🔒 The FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized infrastructure, leading to the arrest of the alleged developer. The W3LL kit, sold for $500, enabled adversary-in-the-middle attacks to capture credentials, session cookies and one-time MFA tokens, allowing attackers to bypass multifactor protections. Its marketplace, W3LLSTORE, facilitated the sale of over 25,000 compromised accounts and contributed to attempts exceeding $20 million in fraud.

🔒 Google Threat Intelligence Group warns that UNC6783, a financially motivated cluster possibly tied to the 'Raccoon' persona, is targeting business process outsourcers (BPOs) and large enterprises via live chat social engineering. The campaign directs employees to spoofed Okta login pages hosted on Zendesk-like domains such as [.]zendesk-support[.]com and uses a phishing kit that steals clipboard contents to bypass MFA and enroll attacker devices for persistence. GTIG also observed fake security updates delivering remote access malware and the use of Proton Mail to deliver ransom notes. Organizations should deploy phishing-resistant MFA like FIDO2 keys, monitor live chat, block unauthorized domains and audit new MFA enrollments.

🔍 Abnormal researchers uncovered a targeted credential theft campaign active from November 2025 to March 2026 that focused on C‑suite and senior personnel across more than 20 industry verticals. The operation was powered by a previously undocumented phishing-as-a-service platform, Venom, and used SharePoint-themed lures with embedded QR codes. The phishing emails employed randomized HTML, fabricated multi-message threads and persona spoofing to evade detection and isolate human targets. Attackers used both AiTM relays and Microsoft’s device code flow to bypass MFA and achieve persistent access.

🛡️ Tycoon2FA, a subscription-based phishing-as-a-service platform, has resumed operations following a coordinated takedown that seized 330 domains. The service uses adversary-in-the-middle techniques to intercept live authentication sessions and bypass multifactor authentication, and it continues to deploy AI-generated decoy pages and malicious URLs. CrowdStrike reported multiple suspected Tycoon2FA-enabled incidents in early March. Organisations are urged to prioritise continuous detection, real-time signal correlation, and layered defences to counter this adaptive threat.

🛡️ On March 4, 2026, Europol coordinated a technical disruption that seized 330 domains tied to Tycoon2FA, a subscription-based phishing-as-a-service platform that enabled adversary-in-the-middle (AITM) attacks to bypass multifactor authentication. CrowdStrike observed an immediate drop in activity followed by a return to pre-disruption campaign volumes as operators reconstituted infrastructure and continued using established TTPs. Defenders should maintain layered controls across phishing, DNS resolution, cloud authentication, and Exchange inbox protections while leveraging Falcon and Falcon Complete for detection and response support.

🔐 In Episode 459 Graham Cluley and Paul Ducklin dissect a near-miss account takeover aimed at WordPress co-founder Matt Mullenweg that combined MFA prompt fatigue, authentic Apple alerts, a convincing support call and a phishing page. They draw practical lessons on resisting MFA prompt fatigue and social-engineering support scams. The episode also explores UK Biobank re-identification risks and the ethics of sharing lifetime medical data.

🔒In a coordinated takedown, law enforcement and industry partners dismantled Tycoon 2FA, a commercial phishing-as-a-service platform that automated MFA bypasses via a real-time proxy. The kit, sold for about US $120/month through private Telegram channels, forwarded credentials and one-time codes to legitimate sites to capture authenticated sessions. It was linked to tens of millions of phishing emails and widespread attacks on healthcare and education before seizures and blocks by Microsoft, multi-country law enforcement, and Cloudflare largely disrupted the operation. Users are reminded that not all MFA is equal: hardware security keys or passkeys provide stronger protection against proxying than SMS-based codes.

🔒 A sophisticated phishing campaign impersonating cryptocurrency broker Bitpanda has been uncovered by Cofense, employing a near-perfect fake login to steal credentials. Victims are guided through a staged MFA flow that requests names, phone numbers, addresses and dates of birth, enabling account takeover and identity abuse. The fraudulent landing page uses deceptive domains and urgent messaging before redirecting users to the real login page. Users should verify sender addresses, hover over links and access platforms via bookmarks rather than email links.

🔐 Starkiller is a phishing-as-a-service that dynamically loads live login pages and proxies user interactions through attacker-controlled infrastructure. It generates deceptive URLs that visually mimic legitimate domains (for example using an @-based URL trick), spins up containerized headless browsers, and records every keystroke, session token, and MFA code. The platform streams sessions in real time, harvests cookies and MFA codes, and delivers campaign analytics and Telegram alerts to customers.

📞 Threat actors are combining device-code phishing and voice-based social engineering to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Instead of malicious apps, attackers leverage legitimate Microsoft OAuth client IDs and the standard device login workflow so victims unknowingly produce valid tokens and complete MFA. Security researchers suspect the ShinyHunters extortion group is involved; administrators should audit and revoke suspicious consents, disable the device code flow when not needed, and enforce conditional access policies.

⚠️ Abnormal researchers have identified Starkiller, a commercial-grade phishing kit that proxies live login pages to harvest credentials and session tokens. Unlike static HTML clones, Starkiller runs a headless Chrome proxy that serves genuine page content and forwards one-time codes in real time, enabling MFA bypass. Distributed as a subscription on the dark web with updates and Telegram support, it includes real-time session monitoring, a keylogger and deceptive URLs mimicking major providers. Organizations should monitor anomalous login patterns and session token reuse to reduce risk.