aitm - TrustStrike Labs

threat

2026-05-04

Microsoft says fake HR compliance emails fooled 35,000 people across 26 countries - phishing kit captured login tokens even with MFA enabled

Microsoft disclosed Monday that a phishing campaign between April 14 and 16 hit 35,000+ users across 13,000+ organizations in 26 countries (92% in the US). Lures impersonated internal HR with subjects like 'Internal case log issued under conduct policy.' Each email had a PDF attachment with a 'Review Case Materials' link that walked victims through Cloudflare CAPTCHAs and a final adversary-in-the-middle (AiTM) Microsoft sign-in page. AiTM proxies the real Microsoft login and captures session tokens after MFA - so traditional MFA is bypassed. Healthcare (19%), financial services (18%), and professional services (11%) were the most-targeted sectors.

microsoft aitm phishing 35k-users 26-countries code-of-conduct tycoon-2fa captcha-gate mfa-bypass entra-id fido2 passkey-resistant

Check: Search Exchange Online logs for emails between April 14-16 with subjects containing 'conduct policy' or 'awareness case log.' Hunt sign-in logs for OAuth grants from acceptable-use-policy-calendly.de or compliance-protectionoutlook.de.
Affected: Microsoft 365 / Entra ID tenants with users on traditional MFA (push, SMS, TOTP). AiTM bypasses any non-phishing-resistant MFA factor - only FIDO2 hardware keys and Windows Hello are immune. US users in healthcare, life sciences, financial services, and professional services are at acute risk based on Microsoft's targeting data.
Fix: Migrate users to phishing-resistant MFA (FIDO2 hardware keys, Windows Hello, passkeys) for all accounts. Enable Conditional Access policies that require token binding for high-privilege accounts. Turn on Zero-hour auto purge in Defender for Office 365 to retroactively quarantine campaign emails. Revoke session tokens for any user who visited a fake sign-in page.

threat

2026-05-01

Two new cybercrime crews are calling employees, getting their MFA codes by phone, then stealing data from SaaS apps within hours

CrowdStrike disclosed two cybercrime groups - Cordial Spider and Snarky Spider - running fast SaaS extortion attacks that stay almost entirely inside legitimate SaaS environments. The pattern: call employees pretending to be IT support, walk them through an 'MFA reset' that's actually a credential-harvesting site that mimics their company's branding, capture the password and MFA code, then immediately log into SSO and pivot through Microsoft 365, Salesforce, and other SaaS apps. The attackers register their own device for MFA and exfiltrate data within hours. Both groups overlap with the broader ShinyHunters ecosystem (UNC6240/UNC6661/UNC6671).

cordial-spider snarky-spider crowdstrike mandiant unc6661 unc6671 shinyhunters vishing sso aitm saas-extortion the-com blackfile-overlap

Check: Run a vishing-specific awareness exercise this week. Tell every employee that real IT will never ask them to read out an MFA code over the phone or enter it on a website during a call.
Affected: Organizations with SSO across Microsoft 365, Salesforce, Okta, Google Workspace, or similar SaaS where one set of credentials reaches multiple apps. Acute risk for help-desk-heavy enterprises (financial services, healthcare, large retail) where IT calls feel routine. Any company with a public corporate logo and SSO landing page is in the target pool.
Fix: Make it policy that IT never asks for MFA codes by phone. Require step-up authentication for any MFA registration change. Alert on new MFA device registrations from unfamiliar IPs. In Microsoft 365, monitor for OAuth grants to ToogleBox Recall and similar inbox-rule apps - these were used by Cordial Spider to delete security alerts. Use Mandiant's published IoCs to block known credential-harvesting domains.

defense

2026-04-13

FBI and Indonesian police dismantle W3LL phishing platform that powered business email compromise attacks worldwide

The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.

w3ll phishing microsoft-365 bec aitm mfa-bypass law-enforcement fbi

Check: Review your Microsoft 365 security configuration. W3LL's kit was specifically designed to bypass standard MFA on M365 - organizations relying solely on push notification or SMS-based MFA for M365 were the primary targets.
Affected: Organizations using Microsoft 365 with standard MFA (push notifications, SMS codes, or authenticator app approval prompts). W3LL's AiTM technique proxied real login pages to intercept session tokens after MFA completion.
Fix: Deploy phishing-resistant MFA for Microsoft 365 - FIDO2 security keys or Windows Hello for Business are resistant to AiTM attacks. Enable conditional access policies that evaluate sign-in risk, device compliance, and location. Monitor for suspicious mailbox rules (forwarding, deletion rules) which are the first post-compromise action in BEC campaigns. The W3LL takedown disrupts one platform, but the AiTM phishing technique is now widely adopted by other kits.

threat

2026-03-27

TikTok for Business accounts targeted with AITM phishing that bypasses MFA

A new phishing campaign is hijacking TikTok for Business accounts using adversary-in-the-middle (AITM) reverse proxy pages - meaning it captures credentials, session cookies, and MFA codes in real time. Victims land on cloned TikTok or Google Careers pages after clicking links that redirect through legitimate Google Storage URLs. The real kicker: most users log in via Google SSO, so one compromise gives attackers both TikTok and Google accounts.

tiktok phishing aitm mfa-bypass google social-media

Check: Alert marketing and social media teams who manage TikTok Business accounts.
Affected: Any TikTok for Business account, especially those using Google SSO for login.
Fix: Use hardware security keys (FIDO2) instead of SMS/app-based MFA - AITM kits can't intercept them. Review TikTok account sessions for unauthorized access. Train staff to verify URLs before entering credentials.