A large-scale credential theft operation has been identified targeting tens of thousands of users across global organizations. This campaign is notable for its use of sophisticated session-token theft to bypass multi-factor authentication ❨MFA❩.
The campaign, disclosed by @[Microsoft](urn:li:organization:1035), utilizes “Code of Conduct” themed phishing lures to direct victims to attacker-controlled pages. Instead of merely harvesting passwords, the attackers use Adversary-in-the-Middle ❨AiTM❩ tactics to steal active authentication tokens. This allows the adversary to hijack the user session directly, neutralizing the effectiveness of standard SMS or app-based MFA.
The shift toward token theft highlights the fragility of traditional MFA in the face of modern phishing kits. For enterprises, this reinforces the necessity of moving toward phishing-resistant authentication methods like FIDO2-compliant security keys or certificate-based authentication.
– Transition all high-value administrative and executive accounts to phishing-resistant MFA ❨e.g., FIDO2 or certificate-based❩.
– Implement conditional access policies that verify device health and geographic location during the authentication handshake.
– Utilize session-binding and device-compliance checks to prevent the use of exfiltrated tokens on unauthorized hardware.
– Update security awareness training to include specific modules on token-theft and Adversary-in-the-Middle phishing tactics.
Identity is the new perimeter; the theft of the authentication token is a total bypass of the traditional login trust boundary. #CodeDefence #Microsoft #Phishing #TokenTheft #AiTM
/
