Credential-Based Attacks and the Shift Toward Phishing-Resistant MFA
Recent high-profile breaches at major UK retailers, including M&S and Co-op Group, have highlighted the growing threat of identity-based attacks. Attackers used vishing techniques to obtain corporate passwords, which enabled ransomware deployment and resulted in significant financial and reputational damage. The distributed nature of modern IT environments, with resources spread across cloud and on-premises systems, has made identity the new security perimeter, increasing the value of credentials for cybercriminals. Infostealer malware and various forms of phishing, including smishing and vishing, are now primary methods for harvesting credentials, contributing to a surge in identity-related breaches across industries.
To counter these threats, security experts emphasize the importance of robust multifactor authentication (MFA), particularly methods that are resistant to phishing. While traditional MFA methods such as one-time passwords (OTPs) sent via SMS or email are still widely used, they are increasingly vulnerable to social engineering and interception. The adoption of passkeys and other phishing-resistant MFA solutions is being promoted as the gold standard, with Microsoft reporting that MFA blocks over 99% of unauthorized access attempts. Organizations are urged to move beyond basic MFA and implement stronger, phishing-resistant authentication to protect against evolving identity-based attacks.
Related Entities
Threat Actors
Sources
Related Stories
Adversary-in-the-Middle Phishing and Evasion Techniques That Bypass MFA
Adversary-in-the-middle (**AiTM**) phishing continues to undermine traditional MFA by proxying legitimate Microsoft sign-in flows in real time, allowing attackers to capture not only passwords but also **session tokens** and MFA responses. One investigation described how sophisticated redirect infrastructure (e.g., unusually deep redirect chains) can place the final phishing content beyond the reach of many email security scanners, and how **one-time URL tokens** can prevent defenders from reproducing the full chain after the fact—making *in-the-moment* evidence collection critical. The same analysis emphasized that **phishing-resistant MFA** (e.g., **FIDO2/passkeys**) is a more effective control because hardware-bound credentials cannot be relayed through a proxy. Operationally, defenders are being pushed to treat modern phishing as an infrastructure and workflow problem, not just a user-awareness issue: attackers increasingly use HTTPS, branded lookalike pages/domains, redirects, and short-lived links to evade detection, including **QR phishing** (codes embedded in PDFs that bypass URL scanning). Additional pressure tactics like **MFA fatigue** (push-spam) remain effective against push-based MFA, with mitigations including number matching, contextual prompts (e.g., location), and monitoring for abnormal push rates. For earlier detection of AiTM activity, one proposed tripwire is embedding **Canary Tokens** in Microsoft Entra ID tenant branding (e.g., custom CSS) to alert when an AiTM proxy loads the login page, while noting this is not universally reliable across all kits.
1 weeks agoCredential Compromise and the Risks of Password-Based Authentication
Cybercriminals are increasingly targeting enterprise credentials through phishing, brute force attacks, and exploitation of password reuse, leading to widespread compromise and monetization of login details. Attackers use tactics such as convincing phishing emails, credential stuffing, and the sale of stolen credentials on underground markets, enabling further exploitation including data theft and ransomware. The prevalence of password reuse and weak password management practices among employees exacerbates the risk, as users often rotate between a small set of passwords or make only minor variations, making it easier for attackers to gain access to multiple accounts once a single credential is compromised. Security experts are urging organizations to move away from traditional password-based authentication and adopt phishing-resistant, device-bound cryptographic solutions such as FIDO2, passkeys, and certificate-based authentication. These measures are seen as essential to counter the growing threat posed by automated attacks leveraging AI agents and large-scale credential theft. SaaS providers are also encouraged to integrate with identity platforms that support these advanced authentication methods to strengthen overall security posture and reduce the risk of credential-based breaches.
4 months agoMulti-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
3 months ago