All news with #mfa tag

AI-powered phishing uses fake CAPTCHA pages to evade

🤖 AI-driven phishing campaigns are increasingly using convincing fake CAPTCHA pages to bypass security filters and trick users into revealing credentials. Trend Micro found these AI-generated pages hosted on developer platforms such as Lovable, Netlify, and Vercel, with activity observed since January and a renewed spike in August. Attackers exploit low-friction hosting, platform credibility, and AI coding assistants to rapidly clone brand-like pages that first present a CAPTCHA, then redirect victims to credential-harvesting forms. Organizations should combine behavioural detection, hosting-provider safeguards, and phishing-resistant authentication to reduce risk.

Microsoft Fixes Entra ID Token Flaw Allowing Impersonation

🔒 Microsoft has patched a critical token validation failure in Entra ID (formerly Azure AD), tracked as CVE-2025-55241 and assigned a CVSS score of 10.0. The flaw combined misused service-to-service (S2S) actor tokens issued by the Access Control Service (ACS) with a validation gap in the legacy Azure AD Graph API that enabled cross-tenant impersonation, including Global Administrators. Microsoft released a fix on July 17, 2025 and said no customer action is required; there is no indication the issue was exploited in the wild. Security firms warned the vulnerability could bypass MFA, Conditional Access and logging, potentially enabling full tenant compromise.

Microsoft Takedown Disrupts RaccoonO365 Phishing Service

🛡️ Microsoft's Digital Crimes Unit has seized 338 domains to dismantle the Phishing‑as‑a‑Service platform RaccoonO365, which enabled low‑skilled actors to deploy convincing Microsoft login pages. The DCU reports the service compromised more than 5,000 accounts across 94 countries since July 2024 and could bypass MFA to maintain persistent access. Operators marketed AI enhancements to scale attacks and collected at least $100,000 in cryptocurrency, prompting legal action to disrupt the infrastructure and seize control of the platform.

CrowdStrike Advances Next-Gen Identity Security Innovations

🔐 CrowdStrike announced three enhancements to Falcon Next‑Gen Identity Security: FalconID, expanded privileged access controls, and identity‑driven case management. FalconID delivers FIDO2-based, phishing-resistant passwordless MFA via the Falcon for Mobile app, combining Bluetooth proximity checks with contextual telemetry to block credential phishing, MFA fatigue, and session hijacking. Privileged access updates add just-in-time workflows, Microsoft Teams request/revoke, Fusion SOAR automation, and hybrid coverage including local systems (early access). Identity-driven case management integrates identity detections into Falcon Next‑Gen SIEM and automates analyst response (generally available).

From Prevention to Rapid Response: The New CISO Era

🔒 CISOs are shifting from an all-or-nothing prevention model to a containment-first strategy that assumes breaches will occur. Organizations are investing in sharper visibility, automation and precise network segmentation to stop lateral movement and reduce blast radius. Modern zero trust implementations enforce context-aware, least-privilege access across hybrid environments, enabling faster detection and automated response while preserving user experience. In sectors such as fintech, CISOs must also balance strong background security with seamless interfaces and user education to sustain trust.

Browser-Based Attacks: Six Threats Security Teams Must Know

🔒 Browser-targeted attacks are rising as adversaries treat the browser as the primary access point to cloud services and corporate data. The article defines browser-based attacks and enumerates six high-risk techniques: credential and session phishing, ClickFix-style copy-and-paste exploits, malicious OAuth consent flows, rogue extensions, malicious file delivery, and credential reuse where MFA gaps exist. These vectors are effective because modern work happens in decentralized SaaS environments and across many delivery channels, making traditional email- and network-centric defenses less reliable. The piece highlights visibility gaps for security teams and points to vendor platforms such as Push Security that claim to provide in-browser detection and remediation for AiTM phishing, OAuth abuse, and session hijacking.

VoidProxy PhaaS Uses AitM to Target Microsoft, Google

🔒 VoidProxy is a newly observed phishing-as-a-service platform that leverages adversary-in-the-middle techniques to capture credentials, MFA codes, and session cookies from Microsoft 365 and Google accounts. Discovered by Okta Threat Intelligence, the service routes victims through shortened links and disposable domains protected by Cloudflare, serving CAPTCHAs and realistic login pages to selected targets. When credentials are entered, VoidProxy proxies requests to the real providers, records MFA responses, and extracts session cookies which are exposed in the platform admin panel for immediate abuse.

Akira Ransomware Reuses Critical SonicWall SSLVPN Bug

🔒 The Akira ransomware gang is actively exploiting CVE-2024-40766 to target unpatched SonicWall SSL VPN endpoints and gain unauthorized network access. SonicWall released a patch in August 2024 and warned that exposed credentials could allow attackers to configure MFA or TOTP and bypass protections. Administrators should apply the vendor update, rotate local SSLVPN passwords, enforce MFA, mitigate Default Group risks, and restrict Virtual Office Portal access.

Akira Exploits SonicWall SSL VPN Flaw and LDAP Settings

🔒 Rapid7 and SonicWall report a surge in intrusions tied to the Akira ransomware group exploiting a year-old SSL VPN vulnerability, CVE-2024-40766 (CVSS 9.3), and LDAP misconfigurations that retained local passwords during migrations. Attackers are brute-forcing credentials, abusing SonicWall's Virtual Office defaults to enable mMFA/TOTP, and using loaders like Bumblebee to deploy AdaptixC2 and persistent tools. SonicWall urges rotating local accounts, enabling Botnet Filtering and Account Lockout, enforcing MFA, restricting Virtual Office access, and reviewing LDAP default groups.

How Cybercriminals Bypass Logins Using Stolen Credentials

🔐 Cybercriminals increasingly target corporate credentials, authentication tokens and session cookies to bypass MFA and impersonate legitimate users. Stolen credentials accounted for a large share of recent breaches and estimates indicate billions of credentials were exposed in 2024. Organizations can reduce risk with Zero Trust, robust MFA, realistic training and continuous behavioral monitoring to detect suspicious sessions.

Salty2FA Phishing Framework Evades MFA Using Turnstile

🔒 A newly identified phishing-as-a-service called Salty2FA is being used in campaigns that bypass multi-factor authentication by intercepting verification flows and abusing trusted services like Cloudflare Turnstile. Ontinue researchers report the kit uses subdomain rotation, domain-pairing, geo-blocking and dynamic corporate branding to make credential pages appear legitimate. The framework simulates SMS, authenticator apps, push approvals and even hardware-token prompts, routing victims through Turnstile gates to filter automated analysis before harvesting credentials.

Social-Engineered Help Desk Breach Costs Clorox $380M

🔐 Attackers affiliated with the Scattered Spider group exploited weak vendor phone procedures to obtain repeated password and MFA resets from Cognizant’s service desk, then used the access to escalate to domain-admin footholds at Clorox. Clorox says the intrusion caused roughly $380 million in damages, including remediation and extended business-interruption losses. The case highlights failure to follow agreed verification processes and the amplified risk of outsourced help desks. Organizations should enforce out-of-band caller verification, immutable reset logs, and automated containment to reduce the attacker window.

Salty2FA Phishing Kit Undermines Confidence in MFA

🔐 A newly uncovered phishing campaign uses the Salty2FA phishing‑as‑a‑service kit to bypass multi‑factor authentication by intercepting verification methods, rotating unique subdomains and hiding behind Cloudflare Turnstile gates that filter automated analysis. Ontinue found the kit simulates SMS, authenticator apps, push prompts and hardware tokens while dynamically applying corporate branding to match victims' email domains. Industry experts characterize this as a more mature, evasive form of phishing and recommend phishing‑resistant authentication, runtime inspection and continuous user training.

Axios User Agent Enables Mass Automated Phishing Campaigns

🔍 ReliaQuest reports a sharp rise in automated phishing campaigns leveraging the Axios user agent and Microsoft's Direct Send feature, observing a 241% increase between June and August 2025. Attacks using Axios represented 24% of malicious user-agent activity and had a 58% success rate versus 9% for other incidents. When paired with Direct Send, success rose to 70%, prompting guidance to restrict Direct Send, enforce anti-spoofing, scan inbound messages for QR codes/URLs/PDFs, train users including executives, and block uncommon TLDs.

Plex Urges Password Resets After Customer Data Breach

🔒 Plex reports an unauthorized third party accessed a limited subset of customer authentication data, including email addresses, usernames, and securely hashed passwords. The company says it quickly contained the incident and that no payment card information was stored on its servers. Because Plex did not disclose the hashing algorithm used, it recommends users reset their passwords, enable two‑factor authentication, and use the “Sign out connected devices after password change” option to terminate active sessions. Plex reminded customers it will never request passwords or card details by email.

Stopping Ransomware Before It Starts: Pre-Ransomware Insights

🔒Cisco Talos Incident Response (Talos IR) analyzed pre-ransomware engagements from January 2023 through June 2025 to determine which controls most often prevented ransomware deployment. Rapid engagement with incident responders and near-immediate action on EDR/MDR alerts were the two strongest correlates of stopping encryption. Talos found that aggressive blocking and quarantine settings, strict identity and privilege controls, improved logging, and early notifications from partners materially increased the chance of eviction before encryption. The guidance focuses on securing remote services, credential protection, application allowlisting, and network segmentation.

Microsoft Enforces MFA for Azure Portal Sign-ins Globally

🔐 Microsoft has completed a global rollout enforcing multifactor authentication (MFA) for Azure Portal sign-ins across 100% of tenants as of March 2025. The rollout follows an initial enforcement announcement in May 2024 and prior warnings to Entra global admins to enable MFA to avoid access disruptions. Microsoft says this step strengthens account defenses and will be followed by mandatory MFA for Azure CLI, PowerShell, SDKs, and APIs in October 2025. The company cites internal research showing MFA dramatically reduces account takeover risk.

Azure Phase 2: Mandatory MFA for Resource Management

🔒 Microsoft is starting Phase 2 of mandatory multi-factor authentication for Azure resource management operations on October 1, 2025. Enforcement at the Azure Resource Manager layer will be applied gradually via Azure Policy, requiring users to complete MFA before performing management actions. Workload identities (managed identities and service principals) are not affected. Administrators should enable MFA, test policy in audit mode, and ensure Azure CLI 2.76 and Azure PowerShell 14.3 or later are in use for best compatibility.

Latest Social Engineering Trends Targeting Enterprises

🛡️Social engineering remains the favoured vector as attackers combine psychological manipulation with accessible AI tools to target high-value corporate roles. Recent incidents show sophisticated pretexting, voice cloning and mass email flooding used to create urgency and extract funds or credentials. Fraudsters increasingly exploit collaboration platforms such as Microsoft Teams and legitimate utilities like Quick Assist to appear trustworthy and gain remote control. Organizations should harden collaboration settings, enforce conditional access and MFA, and reduce privilege scope to limit the blast radius of any compromise.

Sharp Rise in Cyberattacks on German Education Sector

🔒 Researchers at Check Point report a 56% year-over-year increase in cyberattacks against German educational institutions as the new school year begins, well above the global average. Analysts observed targeted phishing campaigns, including an August 2025 scheme that redirected victims to fake university and Outlook login pages to harvest credentials. To mitigate risk, experts recommend targeted phishing awareness training, mandatory multi-factor authentication (MFA), early detection of suspicious domains, regular system updates and deployment of modern threat-prevention solutions as part of a preventive, multi-layered security strategy.