Tag

Mfa

All articles tagged with #mfa

Massive Azure CLI credential spray uses legacy flow to bypass MFA, hits 78 accounts
security10 days ago

Massive Azure CLI credential spray uses legacy flow to bypass MFA, hits 78 accounts

Security researchers warn of a large-scale, automated password-spray against Microsoft Azure CLI that logged over 81 million login attempts and compromised at least 78 Microsoft accounts across 64 organizations. The attackers used the deprecated OAuth 2.0 Resource Owner Password Credentials (ROPC) flow to bypass Conditional Access policies, targeting credentials from breached lists and exploiting MFA configurations that didn’t cover Azure CLI logins. The activity originated largely from an IPv6 range linked to LSHIY LLC (AS32167). Recommendations include enforcing MFA for all users and apps, restricting the Azure CLI app to non-admins, and ensuring CAPs are fully configured to close gaps exposed by ROPC.

Kali365 Phishing Kit Bypasses MFA to Target Microsoft 365 Accounts
technology12 days ago

Kali365 Phishing Kit Bypasses MFA to Target Microsoft 365 Accounts

The FBI warns of Kali365, a phishing-as-a-service kit that bypasses multi-factor authentication by tricking victims into approving a device-code sign-in, enabling attackers to harvest OAuth tokens and access Outlook, Teams, and OneDrive; security guidance includes never entering unsolicited device codes, navigating directly to Microsoft rather than using links, monitoring sign-ins and devices, revoking suspicious sessions, keeping MFA enabled, and reporting incidents.

FortiBleed Breach Exposes 86K FortiGate Devices in Global Credential Campaign
security21 days ago

FortiBleed Breach Exposes 86K FortiGate Devices in Global Credential Campaign

CISA warns Fortinet customers about FortiBleed, a global credential-stuffing and brute-force campaign targeting internet-facing FortiGate firewalls and VPN gateways, with 86,644 devices compromised as of June 19, 2026. The attack, attributed to Russian-speaking actors, proceeds in two steps: scanning for exposed Fortinet endpoints, then using leaked or organization credentials to gain access, before passively harvesting more credentials. Sectors most affected include telecom, government, and education, with the U.K. NCSC calling it a worldwide campaign; many admins’ passwords remain SHA-256-hashed from older FortiGate versions, though PBKDF2 hashing is used in newer FortiOS releases. Fortinet maintains the incident data likely comes from prior breaches and brute-forcing, not a current advisory. CISA recommends terminating active sessions, resetting passwords on internet-facing systems, enforcing PBKDF2, applying strong password policies, enabling phishing-resistant MFA, reviewing logs, and reducing attack surfaces to mitigate risk.

Microsoft mends MFA and My Sign-Ins outage, restores access after cache-triggered failover
technology1 month ago

Microsoft mends MFA and My Sign-Ins outage, restores access after cache-triggered failover

Microsoft fixed an outage that prevented MFA setup and access to My Sign-Ins (504 errors). It mitigated by failing over to alternate infrastructure and is monitoring service health; an update later blamed a recent cache configuration change for the failover and high resource usage during EU traffic, with mitigation rolled back and traffic restored to the original infrastructure.

MuddyWater Uses Teams to Harvest Credentials and Subvert MFA in Chaos False-Flag Campaign
cybersecurity2 months ago

MuddyWater Uses Teams to Harvest Credentials and Subvert MFA in Chaos False-Flag Campaign

Security researchers describe a MuddyWater operation that exploited Microsoft Teams for external contact and screen-sharing to harvest user credentials (credentials.txt/cred.txt) and push MFA changes, followed by backdoor access using DWAgent and AnyDesk. The attackers deployed a custom RAT (Game.exe) and used C2 domains linked to MuddyWater, framing the intrusion as a Chaos ransomware false-flag campaign focused on credential theft and data exfiltration rather than encryption. The campaign featured indicators like a forged code-signing certificate and stolen credentials enabling lateral movement to Domain Controllers.

OAuth Redirect Attacks Deliver Malware and Bypass MFA
security4 months ago

OAuth Redirect Attacks Deliver Malware and Bypass MFA

Microsoft Defender researchers warn attackers abuse OAuth 2.0 redirect flows to bypass phishing protections by registering malicious OAuth apps and directing users to attacker-controlled redirect URIs, sometimes via PDFs; victims are taken to phishing pages or intermediaries like EvilProxy that can intercept session cookies to bypass MFA. Other campaigns deliver ZIPs with LNK files that launch PowerShell and DLL side-loading to drop payloads. These are identity-based threats exploiting standard OAuth error handling; Microsoft advises tighter OAuth permissions, stronger identity protections, Conditional Access, and cross-domain detection across email, identity, and endpoints.

"Ticketmaster Data Breach Exposes Millions, Sparks Lawsuits"
cybersecurity2 years ago

"Ticketmaster Data Breach Exposes Millions, Sparks Lawsuits"

Ticketmaster and several other Snowflake customers have been hacked, with threat actors obtaining credentials through info-stealing malware or purchasing them online. The hacking group ShinyHunters has claimed responsibility, seeking large sums for the stolen data. The breaches highlight the importance of multifactor authentication (MFA), which was not in place for the compromised accounts. Snowflake and security firms Mandiant and Crowdstrike are investigating, with no evidence yet of a vulnerability in Snowflake's platform.

"Uncovering Ad Tech Failures: The Costly Truth Behind Made-for-Advertising Sites"
advertising-technology2 years ago

"Uncovering Ad Tech Failures: The Costly Truth Behind Made-for-Advertising Sites"

Adalytics report exposes the prevalence of low-quality inventory in the ad tech ecosystem, despite claims of MFA prevention by vendors. The report highlights major SSPs and media companies for oversaturating the supply with garbage inventory, pointing to a systemic issue in programmatic advertising. While some companies like The Trade Desk are commended for effectively filtering out MFA, the industry's conflicting incentive structures and lack of ongoing maintenance contribute to the persistence of MFA supply.

"Learning from Microsoft's Russian Hacking Incident: New Guidance and Mistakes to Avoid"
technology2 years ago

"Learning from Microsoft's Russian Hacking Incident: New Guidance and Mistakes to Avoid"

Microsoft confirmed that Kremlin-backed spies gained access to its network and stole internal emails and files after exploiting a legacy, non-production test tenant account that did not have multi-factor authentication (MFA) enabled. The attackers used password spray attacks and compromised a test OAuth application to access corporate inboxes belonging to top Microsoft executives and staff. Microsoft has acknowledged the need for faster implementation of MFA and has provided guides for administrators to prevent similar breaches. The incident has raised concerns about the insufficient MFA protection within the company and highlighted the importance of basic security hygiene.

SEC Acknowledges Cybersecurity Failure in Bitcoin-Related Hack
cybersecurity2 years ago

SEC Acknowledges Cybersecurity Failure in Bitcoin-Related Hack

The US Securities and Exchange Commission (SEC) admitted that a key security procedure, multi-factor authentication (MFA), had been suspended for six months on its social media account when hackers made a fake post about Bitcoin in January. This allowed hackers to gain access to the account and make the misleading post, causing the cryptocurrency to surge in value before the post was deleted. The SEC has since confirmed the regulatory change, but the incident highlights the importance of maintaining strong cybersecurity measures, especially in government agencies, to prevent similar attacks.

EvilProxy Phishing Campaign Exploits Microsoft 365 Users and Executives
cybersecurity2 years ago

EvilProxy Phishing Campaign Exploits Microsoft 365 Users and Executives

EvilProxy, a popular phishing platform, has been used in a large-scale campaign targeting Microsoft 365 accounts. Researchers have observed 120,000 phishing emails sent to over a hundred organizations, primarily impacting high-ranking executives. EvilProxy employs reverse proxies to steal authentication cookies and bypass multi-factor authentication. The campaign impersonates popular brands and utilizes open redirections to evade detection. Once an account is compromised, the threat actors establish persistence by adding their own multi-factor authentication method. Organizations are advised to increase security awareness, implement stricter email filtering rules, and adopt FIDO-based physical keys to defend against this growing threat.