Kaspersky detailed Umbrij, a new tool from the ToddyCat espionage group that steals access to corporate Gmail without ever taking a password. Delivered on Windows through DLL side-loading via trusted signed programs, Umbrij copies the victim's already-signed-in browser profile, launches a hidden Chromium with remote debugging, and drives it through Google's OAuth flow while impersonating legitimate Google Workspace sync apps. Because the copied profile is already authenticated, Google issues an authorization code that is exchanged for an access token, giving the attackers API access to Gmail, Drive, Calendar, and more, and sidestepping both the password and multi-factor authentication. The technique shows how stealing OAuth tokens can quietly bypass account protections.
Huntress is tracking a large automated password-spray campaign against Microsoft 365 that has made more than 81 million login attempts through the Azure CLI in two weeks and broken into 78 accounts across 64 organizations. The attackers replay old username and password pairs from breach data against an authentication flow that sends credentials straight to the token endpoint without triggering interactive multi-factor authentication, so weak or reused passwords give them direct access. Several victims had MFA, but it was scoped only to admins, only to certain apps, or only to untrusted locations, and so did not cover this path. The traffic comes from infrastructure whose address ranges trace back to China.
The Bluekit phishing-as-a-service platform has added a browser-in-the-middle technique that streams a real login page's contents to the victim over a WebSocket, capturing not just passwords but session cookies that let attackers bypass multi-factor authentication. Netcraft reports nearly 70 new Bluekit hostnames in the past week. The kit, which markets dozens of templates for services like Outlook, Gmail, GitHub, and crypto wallets and includes an AI assistant built on a safety-stripped open-weight model, layers on heavy evasion: randomized page styling to defeat screenshot detection, frequently rotating obfuscated code, custom CAPTCHAs, browser fingerprinting, and detection of proxies and security crawlers. Operators can watch victims in real time as they log in.
ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.
The Tycoon 2FA phishing-as-a-service kit, which Microsoft, Europol, Cloudflare and others tried to dismantle in March 2026, is back and has switched tactics. Instead of relaying credentials and MFA codes through a fake login page, operators now send victims to Microsoft's legitimate device-login page at microsoft.com/devicelogin and ask them to enter a code from the lure email. That single consent grants the attacker OAuth tokens for the victim's Exchange Online, OneDrive, and SharePoint through Microsoft's own Authentication Broker app, so it looks normal in Entra logs. eSentire spotted the late-April campaign and published IoCs, including AS45102 (Alibaba Cloud) operator infrastructure.
Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.
Microsoft disclosed Monday that a phishing campaign between April 14 and 16 hit 35,000+ users across 13,000+ organizations in 26 countries (92% in the US). Lures impersonated internal HR with subjects like 'Internal case log issued under conduct policy.' Each email had a PDF attachment with a 'Review Case Materials' link that walked victims through Cloudflare CAPTCHAs and a final adversary-in-the-middle (AiTM) Microsoft sign-in page. AiTM proxies the real Microsoft login and captures session tokens after MFA - so traditional MFA is bypassed. Healthcare (19%), financial services (18%), and professional services (11%) were the most-targeted sectors.
Push Security disclosed ConsentFix v3, a new attack that lets criminals take over Microsoft 365 accounts even if the victim has MFA and phishing-resistant passkeys turned on. The trick: instead of stealing a password, the attacker tricks the user into pasting a Microsoft authorization URL into a phishing page during what looks like a routine login. That URL contains a one-time code that the attacker exchanges for permanent access tokens. v3 automates the whole attack with Cloudflare Pages phishing sites, Pipedream webhook automation, and tenant fingerprinting that customizes the lure to each target organization's branding.
The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL global phishing platform and arrested its alleged developer. W3LL sold a sophisticated phishing kit designed specifically for bypassing multi-factor authentication on Microsoft 365 accounts using adversary-in-the-middle (AiTM) techniques. The platform operated as a phishing-as-a-service ecosystem with its own marketplace, support channels, and licensing model, enabling thousands of business email compromise campaigns targeting corporate Microsoft 365 environments. This is described as the first coordinated international law enforcement action against this platform. Group-IB previously estimated W3LL's tools had been used to compromise over 8,000 Microsoft 365 business accounts.
A new phishing-as-a-service kit called EvilTokens is being sold on Telegram, turning OAuth device code phishing against Microsoft accounts into a turnkey attack. Victims receive emails with PDFs or HTML files containing QR codes or links to pages impersonating Adobe, DocuSign, or SharePoint. The kit captures Microsoft authentication tokens in real time - bypassing MFA - and gives attackers persistent access for business email compromise. The developer says Gmail and Okta support is coming next.