Multi-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging.
In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
KnowBe4 reports a multi-stage campaign targeting Microsoft 365 credentials
KnowBe4 published a report describing a multi-stage phishing campaign designed to evade security controls and steal Microsoft 365 credentials. The available reference does not provide further technical or victim details, but indicates a distinct campaign disclosure.
Any.Run says hybrid 2FA phishing kit is already evading existing detections
Any.Run said the new hybrid kit was already causing alerts for pure Salty2FA or Tycoon2FA activity to go quiet, indicating active evasion of existing detection rules. The company advised defenders to move away from static IOCs and toward behavioral detection of execution flows, transitions, and fallback routines.
Researchers identify a hybrid Salty2FA–Tycoon2FA phishing kit
Researchers reported that threat actors had combined features of the Salty2FA and Tycoon2FA phishing-as-a-service kits into a harder-to-detect hybrid used to bypass MFA. Analysis showed Salty2FA-like early-stage behavior and Tycoon2FA-like later-stage execution, reducing the effectiveness of signatures tuned to either kit alone.
Attackers increasingly use Evilginx to bypass MFA via session-cookie theft
Threat actors were observed using the Evilginx adversary-in-the-middle phishing toolkit to proxy legitimate login flows, steal credentials and session cookies, and then access accounts without triggering additional MFA prompts. The activity was described as particularly affecting educational institutions and enabling follow-on risks such as data theft, fraud, and unauthorized account changes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
The Ghost in the Machine: How a Multi-Stage Phishing Campaign Evades Security to Steal Microsoft 365 Credentials
blog.knowbe4.com
Open sourceAttackers have a new way to slip past your MFA
malwarebytes.com
Open sourceHybrid 2FA phishing kits are making attacks harder to detect
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-Stage Phishing Campaigns Targeting Microsoft 365 and Cloud Services
A sophisticated, multi-stage phishing campaign has been observed targeting organizations globally to steal Microsoft 365 credentials. The operation, monitored since early November 2025, employs advanced evasion techniques such as nested PDFs, use of legitimate content delivery networks, and mouse tracking to bypass secure email gateways and multi-factor authentication. The final credential harvesting site is engineered to block security tools and analysts, and leverages legitimate Microsoft infrastructure to circumvent MFA, granting attackers immediate access to compromised accounts. These attacks highlight the increasing complexity of phishing operations and their ability to evade traditional security controls. In parallel, threat actors are exploiting free cloud hosting platforms like Cloudflare Pages to host convincing phishing portals impersonating banking and healthcare providers. These sites not only harvest credentials but also collect additional security information, such as answers to secret questions, and exfiltrate data via Telegram bots to evade detection. Attackers use compromised legitimate domains as redirectors, increasing the likelihood of bypassing spam filters and making takedown efforts more challenging. The convergence of advanced phishing techniques and abuse of trusted cloud services underscores the need for enhanced detection and response strategies for organizations relying on Microsoft 365 and similar platforms.
Mar 21, 2026
Adversary-in-the-Middle Phishing Attacks Targeting Microsoft 365
Threat actors are increasingly leveraging adversary-in-the-middle (AitM) phishing techniques to compromise Microsoft 365 accounts. In a recent incident, attackers used a phishing email with a malicious link that mimicked the Microsoft login page, capturing both credentials and session cookies to bypass multi-factor authentication (MFA). The attackers expanded their access through password spraying, brute force attacks, and the use of VPNs and residential proxies to evade detection. Persistence was achieved by manipulating inbox rules and abusing OAuth permissions via legitimate email clients, allowing continued access to compromised accounts. Traditional detection methods, such as URL reputation and static fingerprinting, are proving ineffective against these sophisticated AitM phishing kits, which proxy the real Microsoft authentication flow and associated assets. In response, security researchers have developed new defensive measures, including browser extensions that detect AitM attacks at the point of interaction by monitoring for unexpected HTTP referers and injecting visible warnings. However, as attackers adapt and proxy more elements of the authentication process, even these advanced defenses face challenges, highlighting the need for continuous innovation in anti-phishing strategies.
Mar 21, 2026
Adversary-in-the-Middle Phishing Campaigns Targeting Microsoft 365 and Okta Users
A sophisticated phishing campaign has been identified targeting organizations that use Microsoft 365 and Okta for single sign-on (SSO). Attackers employ adversary-in-the-middle (AiTM) techniques to hijack legitimate SSO authentication flows, bypassing multi-factor authentication (MFA) methods that are not phishing-resistant. The campaign uses lookalike domains to impersonate Okta login pages and proxies authentication requests, capturing credentials and session tokens. Hundreds of users across dozens of organizations have been targeted, with phishing emails and malicious URLs designed to closely mimic legitimate login experiences, making detection challenging. Broader trends in SaaS security highlight the increasing abuse of OAuth tokens and session cookies, enabling persistent, non-interactive access to cloud services even after password resets or MFA changes. Attackers leverage browser extensions and session exfiltration to maintain access, and AI-driven lures accelerate the speed and scale of these attacks. The combination of AiTM phishing, token replay, and browser-based persistence underscores the evolving threat landscape for organizations relying on cloud identity providers like Okta and Microsoft 365.
Mar 21, 2026