All news with #mfa fatigue tag

🔒 The FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized infrastructure, leading to the arrest of the alleged developer. The W3LL kit, sold for $500, enabled adversary-in-the-middle attacks to capture credentials, session cookies and one-time MFA tokens, allowing attackers to bypass multifactor protections. Its marketplace, W3LLSTORE, facilitated the sale of over 25,000 compromised accounts and contributed to attempts exceeding $20 million in fraud.

🔒 Google Threat Intelligence Group warns that UNC6783, a financially motivated cluster possibly tied to the 'Raccoon' persona, is targeting business process outsourcers (BPOs) and large enterprises via live chat social engineering. The campaign directs employees to spoofed Okta login pages hosted on Zendesk-like domains such as [.]zendesk-support[.]com and uses a phishing kit that steals clipboard contents to bypass MFA and enroll attacker devices for persistence. GTIG also observed fake security updates delivering remote access malware and the use of Proton Mail to deliver ransom notes. Organizations should deploy phishing-resistant MFA like FIDO2 keys, monitor live chat, block unauthorized domains and audit new MFA enrollments.

🔍 Abnormal researchers uncovered a targeted credential theft campaign active from November 2025 to March 2026 that focused on C‑suite and senior personnel across more than 20 industry verticals. The operation was powered by a previously undocumented phishing-as-a-service platform, Venom, and used SharePoint-themed lures with embedded QR codes. The phishing emails employed randomized HTML, fabricated multi-message threads and persona spoofing to evade detection and isolate human targets. Attackers used both AiTM relays and Microsoft’s device code flow to bypass MFA and achieve persistent access.

🛡️ Tycoon2FA, a subscription-based phishing-as-a-service platform, has resumed operations following a coordinated takedown that seized 330 domains. The service uses adversary-in-the-middle techniques to intercept live authentication sessions and bypass multifactor authentication, and it continues to deploy AI-generated decoy pages and malicious URLs. CrowdStrike reported multiple suspected Tycoon2FA-enabled incidents in early March. Organisations are urged to prioritise continuous detection, real-time signal correlation, and layered defences to counter this adaptive threat.

🛡️ On March 4, 2026, Europol coordinated a technical disruption that seized 330 domains tied to Tycoon2FA, a subscription-based phishing-as-a-service platform that enabled adversary-in-the-middle (AITM) attacks to bypass multifactor authentication. CrowdStrike observed an immediate drop in activity followed by a return to pre-disruption campaign volumes as operators reconstituted infrastructure and continued using established TTPs. Defenders should maintain layered controls across phishing, DNS resolution, cloud authentication, and Exchange inbox protections while leveraging Falcon and Falcon Complete for detection and response support.

🔐 In Episode 459 Graham Cluley and Paul Ducklin dissect a near-miss account takeover aimed at WordPress co-founder Matt Mullenweg that combined MFA prompt fatigue, authentic Apple alerts, a convincing support call and a phishing page. They draw practical lessons on resisting MFA prompt fatigue and social-engineering support scams. The episode also explores UK Biobank re-identification risks and the ethics of sharing lifetime medical data.

🔒In a coordinated takedown, law enforcement and industry partners dismantled Tycoon 2FA, a commercial phishing-as-a-service platform that automated MFA bypasses via a real-time proxy. The kit, sold for about US $120/month through private Telegram channels, forwarded credentials and one-time codes to legitimate sites to capture authenticated sessions. It was linked to tens of millions of phishing emails and widespread attacks on healthcare and education before seizures and blocks by Microsoft, multi-country law enforcement, and Cloudflare largely disrupted the operation. Users are reminded that not all MFA is equal: hardware security keys or passkeys provide stronger protection against proxying than SMS-based codes.

🔒 A sophisticated phishing campaign impersonating cryptocurrency broker Bitpanda has been uncovered by Cofense, employing a near-perfect fake login to steal credentials. Victims are guided through a staged MFA flow that requests names, phone numbers, addresses and dates of birth, enabling account takeover and identity abuse. The fraudulent landing page uses deceptive domains and urgent messaging before redirecting users to the real login page. Users should verify sender addresses, hover over links and access platforms via bookmarks rather than email links.

🔐 Starkiller is a phishing-as-a-service that dynamically loads live login pages and proxies user interactions through attacker-controlled infrastructure. It generates deceptive URLs that visually mimic legitimate domains (for example using an @-based URL trick), spins up containerized headless browsers, and records every keystroke, session token, and MFA code. The platform streams sessions in real time, harvests cookies and MFA codes, and delivers campaign analytics and Telegram alerts to customers.

📞 Threat actors are combining device-code phishing and voice-based social engineering to abuse the OAuth 2.0 Device Authorization flow and compromise Microsoft Entra accounts. Instead of malicious apps, attackers leverage legitimate Microsoft OAuth client IDs and the standard device login workflow so victims unknowingly produce valid tokens and complete MFA. Security researchers suspect the ShinyHunters extortion group is involved; administrators should audit and revoke suspicious consents, disable the device code flow when not needed, and enforce conditional access policies.

⚠️ Abnormal researchers have identified Starkiller, a commercial-grade phishing kit that proxies live login pages to harvest credentials and session tokens. Unlike static HTML clones, Starkiller runs a headless Chrome proxy that serves genuine page content and forwards one-time codes in real time, enabling MFA bypass. Distributed as a subscription on the dark web with updates and Telegram support, it includes real-time session monitoring, a keylogger and deceptive URLs mimicking major providers. Organizations should monitor anomalous login patterns and session token reuse to reduce risk.

🔒 Mandiant reports a recent wave of ShinyHunters attacks that combine targeted vishing and company‑branded phishing sites to capture SSO credentials and MFA codes. Attackers impersonate IT or helpdesk staff, guide victims through MFA approval or one‑time passcodes in real time, and enroll attacker-controlled MFA devices. With access to Okta, Microsoft Entra, or Google SSO dashboards they pivot into SaaS platforms (Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive) to steal and extort cloud data.

🔔Okta Threat Intelligence has warned that cybercriminals are combining vishing calls with adaptable phishing sites to social-engineer victims and bypass multi-factor authentication (MFA). Attackers perform reconnaissance, spoof internal IT support numbers during calls and direct users to customized phishing pages that update in real time. Stolen credentials are relayed to attackers who then generate fake MFA prompts to obtain approvals and gain account access.

📞 ShinyHunters says it is behind a wave of voice-phishing campaigns that compromise single sign-on accounts at Okta, Microsoft Entra, and Google, enabling access to downstream SaaS platforms. Attackers call employees posing as IT, steer victims through dynamic phishing pages and capture multi-factor authentication in real time, then enumerate connected applications to harvest data. The group claims Salesforce as a primary target and has issued extortion demands using stolen information.

🔒 Security firm Proofpoint reports attackers are abusing the OAuth 2.0 device-code flow to bypass MFA. Scammers trick users into entering one-time device codes into malicious Microsoft authentication links, allowing the attackers to capture codes and gain full access to the victim's Microsoft 365 accounts and content. Proofpoint observed both Russian and Chinese threat actors using this technique.

🔐 The FBI warns that cybercriminals impersonating banks and payment services have caused over $262 million in losses this year through account takeover (ATO) fraud and more than 5,100 complaints. Attackers use phishing, SEO poisoning, calls and SMS to harvest credentials and MFA/OTP codes, then transfer funds to intermediary accounts and convert proceeds to cryptocurrency. The advisory highlights growing use of AI-generated phishing and holiday-themed scams and urges vigilance, unique passwords, URL checks and stronger authentication.

🛡️ Researchers report that the Sneaky2FA phishing-as-a-service kit now includes browser-in-the-browser (BITB) functionality that lets attackers embed a fake browser window with a customizable URL bar to mimic legitimate sites such as Microsoft. The iframe-backed pop-up captures credentials and MFA codes in real time, enabling attackers to hijack active sessions. This change lowers the skill threshold for criminals and undermines many signature-based defenses, prompting calls for updated training and stronger browser configurations.

🔒 Sneaky2FA has integrated a Browser-in-the-Browser (BitB) pop-up that impersonates Microsoft sign-in windows and adapts to the victim’s OS and browser. Used alongside its existing SVG-based and attacker-in-the-middle (AitM) proxying, the BitB layer renders a fake URL bar and loads a reverse-proxy Microsoft login to capture credentials and active session tokens, enabling access even when 2FA is active. The kit also employs heavy obfuscation and conditional loading to evade analysis.

🔐 Tycoon 2FA is a turnkey phishing kit that automates real-time MFA relays, enabling attackers to capture credentials, session cookies, and live authentication flows for Microsoft 365 and Gmail. It requires no coding skill, includes layered evasion (obfuscation, compression, bot filtering and debugger checks), and proxies MFA prompts so victims unknowingly authenticate attackers. The result undermines SMS, TOTP and push methods and can enable full session takeover. The article urges migration to phishing-resistant FIDO2 hardware and domain-bound biometric authenticators.

🛡️ Whisper 2FA has emerged as a highly active phishing kit, responsible for almost one million attacks since July 2025, according to Barracuda. The platform leverages AJAX to create a live relay between victims and attackers, repeatedly capturing passwords and MFA codes until a valid token is obtained. Campaigns impersonate services like DocuSign, Adobe and Microsoft 365 and use urgent lures such as invoices or voicemail notices. Rapid evolution, dense obfuscation and anti-debugging measures make detection and analysis increasingly difficult.