Tag: MFA Bypass
-
The Hydra of Phishing: How Tycoon2FA Resurrected Its Empire Days After a Global Takedown
An endeavor to dismantle a ubiquitous platform dedicated to account theft yielded but an ephemeral triumph. A mere span of days following a coordinated law enforcement intervention, the Tycoon2FA service resumed its operations with an efficacy rivaling its former prime. On the fourth of March, 2026, Europol heralded the technical severance of the infrastructure underpinning…
-
The Support Snare: How Cybercriminals are Hijacking LiveChat to Impersonate Amazon and PayPal
Phishing bombardments have long possessed the acumen to meticulously forge correspondence from colossal brands; however, contemporary digital marauders are increasingly eschewing orthodox counterfeit landing pages in favor of ushering their quarry into a chat interface impeccably disguised as an authentic customer support sanctuary. The vanguard at Cofense has chronicled precisely such a machination: malefactors are…
-
The Fall of a Phishing Giant: How International Law Enforcement Crushed the Tycoon 2FA Empire
An international law enforcement operation has successfully dismantled Tycoon 2FA, one of the most formidable phishing-as-a-service platforms in existence. Operating upon a subscription-based paradigm, this clandestine service empowered malicious actors to execute indiscriminate, large-scale campaigns engineered to intercept sensitive credentials and multifactor authentication codes. According to intelligence promulgated by Europol, the platform’s infrastructure was weaponized…
-
The Mirror Trap: How the “Starkiller” Phishing Kit Proxies Real Sites to Neutralize MFA
A sophisticated new phishing instrument dubbed Starkiller has emerged within clandestine marketplaces, fundamentally altering the mechanics of credential theft. Rather than meticulously crafting fraudulent login portals, adversaries are leveraging authentic websites, broadcasting them in real-time via their own infrastructure. This methodology facilitates the interception of usernames, passwords, and one-time passcodes, thereby circumventing multi-factor authentication (MFA)…
-
The Forensic Backfire: How Hackers Weaponized a Legacy EnCase Driver to Decapitate Modern EDR
Adversaries are increasingly inaugurating their offensives not with conventional malware, but by subverting legitimate remote access credentials. A recent incursion, meticulously analyzed by Huntress, highlights a disconcerting trend: after infiltrating a network via SonicWall hardware, the antagonists attempted to systematically “blind” nearly every extant security measure before proceeding to their subsequent objectives. The assault, which…
-
The Browser Puppeteer: New Vishing Kits Hijack Sessions in Real-Time
Social engineering offensives are undergoing a sophisticated metamorphosis—adversaries now amalgamate telephonic directives with dynamic phishing kits that facilitate the real-time manipulation of a victim’s web session. According to an expose by Okta Threat Intelligence, these emerging “Phishing-as-a-Service” instruments are being aggressively deployed against users of Google, Microsoft, Okta, and various cryptocurrency ecosystems. The hallmark of…
-
MFA Under Siege: Microsoft Unveils Stealthy AiTM Attacks Striking the Energy Sector
Microsoft has disclosed a sophisticated sequence of multi-stage incursions leveraging Adversary-in-the-Middle (AiTM) session hijacking in tandem with Business Email Compromise (BEC) methodologies. The offensive specifically targeted entities within the energy sector, with adversaries weaponizing SharePoint as a primary vector for the dissemination of deleterious links and the subsequent entrenchment within compromised environments. The inaugural phase…
-
The Square Trap: FBI Warns of North Korean “Quishing” Campaigns
North Korean cyber adversaries have intensified their deployment of QR codes to facilitate credential exfiltration and circumvent enterprise security perimeters. The FBI has issued a formal warning, attributing this nascent stratagem to the Kimsuky threat collective, which U.S. intelligence agencies identify as an affiliate of the Democratic People’s Republic of Korea (DPRK). This tactical evolution…
-
The Insider Threat: How Tycoon 2FA Bypasses Microsoft 365 MFA via Spoofing
Occasionally, the most perilous phishing missives appear as though they were dispatched by a colleague in the adjacent office. This is precisely the strategy currently favored by adversaries who have mastered the art of circumventing security protocols within specific Microsoft 365 mail configurations, enabling them to disseminate emails that appear internal and bear the organization’s…
-
MFA Under Siege: The Rise of BlackForce, the Sophisticated “Live” Phishing Kit Targeting 11+ Global Brands
Since early August 2025, Zscaler researchers have been tracking the spread of a new phishing kit known as BlackForce. Within a short period, at least five distinct versions of the tool have been identified. BlackForce combines credential theft with Man-in-the-Browser attacks, enabling real-time bypass of two-factor authentication. The kit is sold on Telegram for €200–300…
-
ConsentFix Attack: New Phishing Bypasses MFA to Hijack Microsoft Accounts via OAuth Code
A new technique dubbed “ConsentFix” expands upon the already known ClickFix social engineering attack, enabling the hijacking of Microsoft accounts without passwords or multi-factor authentication. To achieve this, attackers exploit the legitimate Azure CLI application and nuances of OAuth authorization, effectively turning a standard sign-in flow into an account takeover mechanism. ClickFix relies on presenting…
-
The MFA Killer: How One Programmer’s Tool Became a $100M Cybercrime Weapon
Kuba Gretzky originally sought to make the internet a safer place — yet his creation achieved the opposite. In 2017, the Polish programmer developed Evilginx, a tool designed to help Red Team professionals study phishing techniques and understand how attackers steal credentials. The idea was simple: to demonstrate how easily even multi-factor authentication could be…
-
Storm-2657 Hackers Steal University Salaries by Hijacking Workday HR Accounts
According to a new report from Microsoft Threat Intelligence, the financially motivated group Storm-2657 is conducting large-scale attacks against universities and private companies, using stolen employee credentials to redirect payroll funds into their own accounts. Experts have dubbed this type of operation “payroll piracy.” During the campaign, the attackers sought access to cloud-based HR platforms…
-
FIDO2 Bypass Uncovered: Hackers Exploit Cross-Device Authentication with QR Code Phishing
Cybercriminals affiliated with the group PoisonSeed have devised a method to circumvent FIDO2 protection—not by breaching the technology itself, but by cleverly exploiting one of its legitimate features: cross-device authentication. Through this technique, attackers trick victims into approving access themselves, under the false impression that they are logging into a corporate system. As revealed by…
-
DeviceCodePhishing: A New Automated Tool Bypasses MFA & FIDO for Azure Entra Users
DeviceCodePhishing This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This…
-
Urgent Citrix Bleed 2 (CVE-2025-5777, CVSS 9.3) Actively Exploited: MFA Bypass & Session Hijacking Threaten Enterprises
Security researchers have unveiled functional exploits targeting a critical vulnerability in Citrix NetScaler ADC and Gateway devices. Designated CVE-2025-5777, the flaw has been informally dubbed CitrixBleed2 — a pointed reference to the similarly severe 2023 vulnerability that was widely exploited in ransomware campaigns and attacks on government entities. This latest issue allows threat actors to…