home.social

#mfa-bypass — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #mfa-bypass, aggregated by home.social.

fetched live
  1. Helix Group Exploits SharePoint with Advanced Vishing Tactics

    Helix Group hackers are using clever voice phishing tactics, often impersonating managers, to trick victims into handing over account access. They use a simple yet effective playbook, starting with a convincing phone call that sets the stage for a device-code phishing scheme.

    osintsights.com/helix-group-ex

    #VoicePhishing #Vishing #DevicecodePhishing #MfaBypass #ThreatActors

  2. The Silent Breach and the Persistence of Unauthorized Access

    938 words, 5 minutes read time.

    Once the session token is successfully exfiltrated, the nature of the intrusion shifts from external deception to internal subversion. The attacker does not need to crack passwords or trigger further security alerts, as they are now effectively operating with the digital identity of a trusted employee. Analyzing these incidents, I see that the primary goal is often the establishment of persistence within the target environment, which is achieved through the modification of inbox rules or the creation of clandestine mailbox delegates. By silently forwarding incoming emails to an external address or creating hidden folders for sensitive correspondence, the adversary can monitor ongoing business deals, intercept financial instructions, and identify high-value targets for subsequent business email compromise attacks. This stage of the operation is characterized by extreme patience, as the threat actor avoids loud, disruptive actions in favor of a low-and-slow approach that can remain undetected for months. The tragedy is that the victim often remains entirely unaware of the breach, believing they are still securely authenticated while their environment is being methodically picked apart from the inside.

    Challenging the Failure of Traditional Defensive Postures

    When considering why these attacks continue to succeed with such alarming frequency, it becomes evident that the industry’s reliance on legacy defensive postures is a failing strategy. Many organizations still treat email security as a static barrier, implementing blacklists and rudimentary heuristic scans that are easily circumvented by adversaries who control their own infrastructure and rotating IP addresses. Furthermore, the human-centric nature of these scams renders technical controls inherently insufficient unless they are paired with a cultural shift toward skeptical verification. It is not enough to deploy an automated solution if the culture within a firm encourages speed over accuracy and ignores the red flags of irregular communication patterns. Consequently, the defense against these campaigns must evolve into a proactive, threat-hunting discipline that monitors for anomalous login locations, unexpected session durations, and unauthorized changes to account configurations. Without this layer of vigilant oversight, the technical barriers essentially act as a screen door, providing the illusion of protection while failing to stop the actual threat.

    Implementing Rigorous Verification Protocols in a High-Stakes Environment

    The path forward requires a departure from the convenience-first mindset that dominates modern digital work environments. Organizations must adopt hardware-backed authentication methods, such as FIDO2-compliant security keys, which are resistant to the proxy-based interception tactics that currently plague mobile-based push notifications and SMS codes. Additionally, the adoption of strict device posture checks ensures that an attacker cannot simply use a stolen session token from an unauthorized machine or an unrecognized geographic region. Beyond the hardware, there must be a fundamental hardening of organizational processes, such as implementing mandatory out-of-band verification for any request involving financial transfers or the sharing of sensitive credentials. It is a harsh reality that trust is the primary vulnerability in any system, and the most secure posture is one that treats every incoming request as potentially malicious until proven otherwise through independent channels. While this might introduce friction into the workflow, that friction is the necessary price of security in an age where the cost of a single successful breach is often the survival of the entity itself.

    Call to Action

    The time for passive observation has passed, as the threats currently infiltrating our inboxes are not waiting for an invitation to compromise your organization. You must decide whether to continue relying on outdated defensive protocols that offer only the illusion of safety or to begin the hard work of hardening your infrastructure against the reality of modern adversarial tactics. I urge you to conduct an immediate audit of your current authentication stack and evaluate the necessity of migrating to hardware-backed security keys, as this is the single most effective step you can take to neutralize the threat of proxy-based session hijacking. Furthermore, initiate a comprehensive review of your internal communication policies to ensure that your team is empowered to question anomalies rather than blindly following the path of least resistance. Security is not a product you purchase, but a discipline you practice, and the responsibility to bridge the gap between your existing defenses and the current threat reality rests entirely with you. Do not wait for a compromised session to force your hand, because by the time the impact of a breach is visible, the damage is already absolute.

    SUPPORTSUBSCRIBECONTACT ME

    D. Bryan King

    Sources

    Disclaimer:

    The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

    Related Posts

    Rate this:

    #accountTakeover #adversaryInTheMiddle #AiTM #ATO #authenticationProtocols #BEC #businessEmailCompromise #corporatePhishing #corporateSecurity #credentialHarvesting #cyberResilience #cyberThreatIntelligence #cyberWarfare #cybersecurity #cybersecurityBestPractices #dataBreachPrevention #digitalFraud #digitalIdentity #emailScams #emailSecurity #emailThreats #enterpriseSecurity #FIDO2 #hardwareSecurity #identityTheftProtection #incidentResponse #informationSecurity #infosec #maliciousInfrastructure #MFABypass #multiFactorAuthentication #networkDefense #onlineSafety #passwordless #phishingAttacks #phishingAwareness #phishingKits #phishingResistantAuthentication #riskManagement #secureAuthentication #securityAudit #securityCulture #securityHardening #securityKeys #sessionTokenTheft #socialEngineering #threatDetection #threatLandscape #zeroTrust
  3. Iran-Linked APT Exploits Ransomware Disguise for Espionage

    MuddyWater, an Iran-linked APT group, has been caught exploiting a ransomware disguise to secretly infiltrate systems, using interactive tactics to harvest credentials and gain internal access. By masquerading as a Chaos ransomware affiliate, the group aimed to throw off detectives and cover its espionage tracks.

    osintsights.com/iran-linked-ap

    #Muddywater #Apt #Iran #MfaBypass #Ransomware

  4. 🚨 JokerOTP PhaaS Seller Arrested - Netherlands

    A coordinated law enforcement operation has resulted in the arrest of a suspected JokerOTP access seller. The platform enabled automated OTP interception via synchronized login attempts and vishing bots.

    Impact:
    • $10M in financial damage
    • 28,000+ attacks
    • 13 countries affected
    • High-value targets: PayPal, Coinbase, Amazon, Apple

    This incident underscores the operational reality: MFA bypass increasingly exploits the human layer rather than technical vulnerabilities.

    Are phishing-resistant authentication methods becoming mandatory rather than optional?
    Engage below with your defensive strategy insights.

    Source: bleepingcomputer.com/news/secu

    Follow @technadu for ongoing threat intelligence and global cybercrime updates.

    #InfoSec #ThreatIntelligence #PhishingDefense #MFABypass #CyberCrime #SecurityOperations #FraudPrevention #TechNadu

  5. ⚠️ Cyber threat: “Cookie Bite” attack hijacks Microsoft 365 — no malware required. Researchers uncovered a new attack that abuses Azure Entra ID auth cookies (ESTSAUTH + ESTSAUTHPERSISTENT) to:
    🍪 Hijack sessions in Outlook, Teams, and more
    🚫 Bypass MFA
    📥 Avoid traditional endpoint detection
    🧩 Spread via malicious browser extensions

    🛡️ Organizations must:
    🔐 Audit browser extension permissions
    📊 Monitor for persistent cloud session abuse
    🧠 Train users to avoid risky browser behaviors

    Invisible. Persistent. And just one stolen cookie away.

    #CyberSecurity #Microsoft365 #MFABypass #EntraID #ThreatIntel #security #privacy #cloud #infosec
    darkreading.com/remote-workfor

  6. It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

    opalsec.substack.com/p/soc-gou

    Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

    #Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

    There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

    The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

    TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

    The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

    The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

    This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

    opalsec.substack.com/p/soc-gou

    #infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day