New Phishing Attack Bypasses Microsoft 365 Accounts 2FA Protection

Who should read this?

• Microsoft 365 users – If you use Microsoft 365, you’re a potential target.
• Organizations – If your company relies on online accounts, cloud services, or email for day-to-day operations, you need to be aware of this 2FA bypass threat, which can compromise even well-secured accounts.
• Anyone using online accounts with 2FA – This attack isn’t limited to Microsoft and could affect any other services, despite enabling 2FA.

How does it work?

Cyber criminals send fake emails that look like important messages, such as a payment receipt. The link in the email leads to a fake Microsoft login page. If you enter your login details, the attackers steal them. They then bypass 2FA by capturing session cookies and gain access to your account without needing the security code. The scam works the same way for individual users.

What’s the risk?

For organizations

• Account compromise – Attackers can access your Microsoft 365 account and misuse it.
• Sensitive data exposure – If your account holds sensitive business or customer data, it could be exposed to attackers.
• Financial loss – If your account is linked to payment methods, attackers can use it for fraud.
• Reputation damage – Your business could lose customer trust if fraud is carried out using your account.

For individual users

• Stolen login information – If attackers get your login credentials, they can access your accounts.
• Identity theft – Attackers could steal your personal details, use them to access other accounts, or commit fraud.

How to stay safe?

For individual users

1. Be cautious of suspicious links – Avoid clicking on links in emails unless you’re sure they’re from trusted sources.
2. Double-check website URLs – Always make sure you’re on the official website before entering login details.
3. Use strong and unique passwords – Avoid reusing passwords across different accounts. Ensure each password is strong and unique. A password manager can help you keep track of them.
4. Enable MFA – Use multi-factor authentication for extra security. If possible, opt for more secure options like hardware tokens or authentication apps instead of SMS-based 2FA.

For organizations

1. Implement access controls – Make sure only authorized personnel can access sensitive accounts.
2. Use MFA – Use Multi-Factor Authentication (MFA), such as hardware security keys or apps like Google Authenticator, which are harder for attackers to bypass.
3. Monitor account activity – Regularly check your accounts for suspicious logins or changes.
4. Consider using a password manager – A password manager helps store and organize strong, unique passwords securely, reducing the risk of password reuse or weak passwords being exploited.
5. Educate employees about phishing – Train staff to recognize different phishing emails and avoid clicking on suspicious links.

References

1. New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass
2. New Microsoft 2FA Bypass Attack Warning—Dangerous And Sneaky, Act Now