Silent and undetectable initial access is the cornerstone of a cyberattack. MFA is there to stop unauthorized access, but attackers are constantly evolving.

A help desk phishing campaign targets an organization's Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections.
#ADFS #Account #Computer #InfoSec #Lateral #MFA #Microsoft #Notification #Phishing #Push #Security #Takeover

Oasis Security's research team uncovered a critical vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching.

The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords. Launched in…

Three men have pleaded guilty to running OTP.Agency, an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K.

Multi-factor authentication makes you, your company and your cloud investments safer

Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accoun...

Valve has added a new security layer for developers who publish their games on Steam after a few had their accounts hacked.

Due to a recent Google change, MFA isn't truly MFA.

Google's app for generating MFA codes syncs to user accounts by default. Who knew?

Help desk staff duped into resetting MFA on Okta super admin accounts, allowing threat actors to move laterally across targeted organizations.

Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials.

Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. On some sources the alternative name is Moloch, which has some connection to a phishing-kit developed by several notable underground actors who targeted the financial institutions and e-commerce sector before.

A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA).

Campaign that steals email has targeted at least 10,000 organizations since September.

A new study by Juniper Research has found operators will generate $27 billion from the termination of SMS messages related to multi-factor authentication in 2022; an increase from $25 billion in 2021. The research predicts this 5% growth will be driven by increased pressure on digital service providers to offer secure authentication that reduces risk of data breaches and protects user identity. Multi-factor authentication combines multiple credentials to verify a user or transaction. This includes sending an SMS that contains a one‑time password or code to a user’s unique phone number.

Not all MFA is created equal, as script kiddies and elite hackers have shown recently.