Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: mfa-bypass (11 articles)Clear

Umbrij malware steals Google OAuth tokens through a hidden browser to read Gmail

Kaspersky detailed Umbrij, a new tool from the ToddyCat espionage group that steals access to corporate Gmail without ever taking a password. Delivered on Windows through DLL side-loading via trusted signed programs, Umbrij copies the victim's already-signed-in browser profile, launches a hidden Chromium with remote debugging, and drives it through Google's OAuth flow while impersonating legitimate Google Workspace sync apps. Because the copied profile is already authenticated, Google issues an authorization code that is exchanged for an access token, giving the attackers API access to Gmail, Drive, Calendar, and more, and sidestepping both the password and multi-factor authentication. The technique shows how stealing OAuth tokens can quietly bypass account protections.

Check
Audit which third-party apps and OAuth grants have access to your Google Workspace accounts, and watch endpoints for browsers launched with headless and remote-debugging flags outside dedicated test systems.
Affected
Organizations using Google Workspace or Gmail for business; by hijacking an already-signed-in browser profile and the OAuth flow, attackers gain token-based access to email and files without a password or MFA prompt.
Fix
Regularly review and revoke unnecessary OAuth app access to Google accounts, monitor for suspicious DLL side-loading and headless browser debugging, restrict remote-debugging use, and alert on unusual Google API access.

Azure CLI password spray compromises 78 Microsoft accounts by bypassing MFA

Huntress is tracking a large automated password-spray campaign against Microsoft 365 that has made more than 81 million login attempts through the Azure CLI in two weeks and broken into 78 accounts across 64 organizations. The attackers replay old username and password pairs from breach data against an authentication flow that sends credentials straight to the token endpoint without triggering interactive multi-factor authentication, so weak or reused passwords give them direct access. Several victims had MFA, but it was scoped only to admins, only to certain apps, or only to untrusted locations, and so did not cover this path. The traffic comes from infrastructure whose address ranges trace back to China.

Check
Review whether your multi-factor authentication and Conditional Access policies cover every sign-in path, including the Azure CLI and token-endpoint flows, not just web portals and admin accounts, and hunt for password-spray bursts.
Affected
Microsoft 365 organizations with weak or reused passwords, incomplete MFA, or Conditional Access gaps; attackers use a credential flow that skips interactive MFA to break in through the Azure CLI.
Fix
Enforce phishing-resistant MFA across all users, apps, and authentication flows, block legacy and password-based credential grants, apply Conditional Access to CLI access, and monitor sign-in logs for spray patterns and suspicious networks.

Bluekit phishing service adds browser-in-the-middle to steal logins and sessions

The Bluekit phishing-as-a-service platform has added a browser-in-the-middle technique that streams a real login page's contents to the victim over a WebSocket, capturing not just passwords but session cookies that let attackers bypass multi-factor authentication. Netcraft reports nearly 70 new Bluekit hostnames in the past week. The kit, which markets dozens of templates for services like Outlook, Gmail, GitHub, and crypto wallets and includes an AI assistant built on a safety-stripped open-weight model, layers on heavy evasion: randomized page styling to defeat screenshot detection, frequently rotating obfuscated code, custom CAPTCHAs, browser fingerprinting, and detection of proxies and security crawlers. Operators can watch victims in real time as they log in.

Check
Hunt for the Bluekit signals Netcraft lists, including randomized CSS filters on top-level elements, periodically rotated obfuscated JavaScript, and WebSocket traffic carrying encrypted data on login pages, across email and proxy logs.
Affected
Users of widely targeted services like Outlook, Gmail, GitHub, and crypto wallets; stolen session cookies let attackers replay authenticated sessions and bypass multi-factor authentication entirely.
Fix
Move to phishing-resistant, hardware-backed authentication like passkeys or FIDO2 keys, which resist session-theft phishing, shorten session lifetimes, monitor for anomalous session reuse, and train staff on login-page verification.

SonicWall Gen6 SSL-VPN MFA bypass (CVE-2024-12802) actively exploited - firmware patch alone insufficient, LDAP reconfiguration required

ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.

Check
Inventory SonicWall Gen6 SSL-VPN appliances and confirm the LDAP reconfiguration was done after the firmware patch. Search VPN logs for 30-60 minute logins from new IPs in the last 90 days.
Affected
SonicWall Gen6 SSL-VPN devices running patched firmware but with LDAP still configured to use userPrincipalName in the 'Qualified login name' field. Gen7 and Gen8 are patched by firmware alone.
Fix
On Gen6: delete the existing LDAP config, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, then rebuild LDAP without userPrincipalName per SonicWall's advisory.

Tycoon2FA pivots to OAuth device-code phishing - lures Microsoft 365 users to legitimate microsoft.com/devicelogin

The Tycoon 2FA phishing-as-a-service kit, which Microsoft, Europol, Cloudflare and others tried to dismantle in March 2026, is back and has switched tactics. Instead of relaying credentials and MFA codes through a fake login page, operators now send victims to Microsoft's legitimate device-login page at microsoft.com/devicelogin and ask them to enter a code from the lure email. That single consent grants the attacker OAuth tokens for the victim's Exchange Online, OneDrive, and SharePoint through Microsoft's own Authentication Broker app, so it looks normal in Entra logs. eSentire spotted the late-April campaign and published IoCs, including AS45102 (Alibaba Cloud) operator infrastructure.

Check
Search Entra sign-in logs for Microsoft Authentication Broker consents (AppId 29d9ed98-a469-4536-ade2-f981bc1d605e) from unfamiliar IPs, especially AS45102 (Alibaba Cloud) with node/undici user agents.
Affected
Microsoft 365 tenants without Conditional Access policies restricting the OAuth Device Authorization Grant flow. The initial lure abuses legitimate Trustifi click-tracking URLs.
Fix
Block the Device Code Flow in Conditional Access for users who do not need it (most knowledge workers do not). Review eSentire IoCs and revoke matching sessions and refresh tokens.

Iranian hackers used Microsoft Teams chat to social-engineer victims, then dressed up their espionage as a Chaos ransomware attack to throw off blame

Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.

Check
Search Microsoft Teams logs for external chat invitations from unknown Entra tenants since January. Hunt endpoints for DWAgent, AnyDesk, ms_upd.exe, or Game.exe processes installed without IT approval.
Affected
Organizations allowing external Microsoft Teams chats by default - the campaign starts with chat invitations from attacker-controlled tenants. Acute risk for sectors MuddyWater historically targets: government, defense, telecoms, energy, and Israeli organizations. The 'IT Support' impersonation pattern works against any helpdesk-heavy enterprise. Iranian APT activity has been increasing through early 2026.
Fix
Restrict external Microsoft Teams chat to allowlisted partner tenants only. Block external screen-sharing requests by default. Brief staff that real IT support never asks them to type passwords into local files or read out MFA codes during a Teams call. Block Rapid7's published Stagecomp/Darkcomp code-signing certificate at the EDR layer.

Microsoft says fake HR compliance emails fooled 35,000 people across 26 countries - phishing kit captured login tokens even with MFA enabled

Microsoft disclosed Monday that a phishing campaign between April 14 and 16 hit 35,000+ users across 13,000+ organizations in 26 countries (92% in the US). Lures impersonated internal HR with subjects like 'Internal case log issued under conduct policy.' Each email had a PDF attachment with a 'Review Case Materials' link that walked victims through Cloudflare CAPTCHAs and a final adversary-in-the-middle (AiTM) Microsoft sign-in page. AiTM proxies the real Microsoft login and captures session tokens after MFA - so traditional MFA is bypassed. Healthcare (19%), financial services (18%), and professional services (11%) were the most-targeted sectors.

Check
Search Exchange Online logs for emails between April 14-16 with subjects containing 'conduct policy' or 'awareness case log.' Hunt sign-in logs for OAuth grants from acceptable-use-policy-calendly.de or compliance-protectionoutlook.de.
Affected
Microsoft 365 / Entra ID tenants with users on traditional MFA (push, SMS, TOTP). AiTM bypasses any non-phishing-resistant MFA factor - only FIDO2 hardware keys and Windows Hello are immune. US users in healthcare, life sciences, financial services, and professional services are at acute risk based on Microsoft's targeting data.
Fix
Migrate users to phishing-resistant MFA (FIDO2 hardware keys, Windows Hello, passkeys) for all accounts. Enable Conditional Access policies that require token binding for high-privilege accounts. Turn on Zero-hour auto purge in Defender for Office 365 to retroactively quarantine campaign emails. Revoke session tokens for any user who visited a fake sign-in page.

New 'ConsentFix v3' attack lets criminals take over Microsoft 365 accounts even when MFA and passkeys are turned on

Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.

Check
Brief any Microsoft 365 admin or developer that any 'verification step' that asks them to paste a URL containing 'localhost' into a webpage is hostile, no matter how legitimate the page looks.
Affected
Any Microsoft 365 / Entra ID tenant. The attack bypasses MFA, passkeys, and most Conditional Access policies by abusing pre-consented Microsoft first-party apps. Acute risk for organizations whose admins, developers, or DevOps engineers regularly use Azure CLI - those users won't suspect a fake Azure CLI authorization page. Cloudflare Pages and Pipedream both look legitimate in network telemetry.
Fix
Apply token binding to trusted devices and require Conditional Access for first-party Microsoft apps where possible. Hunt Azure sign-in logs for Azure CLI authentications from unfamiliar IPs, especially against accounts that don't normally use it. Train developers to verify out-of-band any 'verification step' that asks them to paste URLs into a webpage. Use app authentication restrictions to limit which first-party apps can issue refresh tokens.

FBI and Indonesian police dismantle W3LL phishing platform that powered business email compromise attacks worldwide

The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.

Check
Review your Microsoft 365 security configuration. W3LL's kit was specifically designed to bypass standard MFA on M365 - organizations relying solely on push notification or SMS-based MFA for M365 were the primary targets.
Affected
Organizations using Microsoft 365 with standard MFA (push notifications, SMS codes, or authenticator app approval prompts). W3LL's AiTM technique proxied real login pages to intercept session tokens after MFA completion.
Fix
Deploy phishing-resistant MFA for Microsoft 365 - FIDO2 security keys or Windows Hello for Business are resistant to AiTM attacks. Enable conditional access policies that evaluate sign-in risk, device compliance, and location. Monitor for suspicious mailbox rules (forwarding, deletion rules) which are the first post-compromise action in BEC campaigns. The W3LL takedown disrupts one platform, but the AiTM phishing technique is now widely adopted by other kits.

EvilTokens phishing kit commoditizes Microsoft device code attacks for business email compromise

A new phishing-as-a-service kit called EvilTokens is being sold on Telegram, turning OAuth device code phishing against Microsoft accounts into a turnkey attack. Victims receive emails with PDFs or HTML files containing QR codes or links to pages impersonating Adobe, DocuSign, or SharePoint. The kit captures Microsoft authentication tokens in real time - bypassing MFA - and gives attackers persistent access for business email compromise. The developer says Gmail and Okta support is coming next.

Check
Review your Microsoft Entra ID logs for unusual device code authentication flows, especially from unfamiliar locations or devices.
Affected
Any organization using Microsoft 365 with users who may click on phishing emails disguised as document-sharing notifications.
Fix
Restrict or disable the device code authentication flow in Microsoft Entra ID conditional access policies if your organization doesn't need it. Deploy phishing-resistant MFA (FIDO2 hardware keys). Train finance, HR, and sales teams to recognize fake document verification pages. Monitor for anomalous token grants in Entra ID sign-in logs.