Tag: mfa
-
(g+) SonicwallBypass: Warum gepatchte Sonicwall-VPNs die MFA weiter durchlassen
Auf vielen Sonicwall-Firewalls ist der Patch drin, die MFA aber weiter umgehbar. Sechs Schritte fehlen. Was Admins prĂ¼fen mĂ¼ssen. First seen on golem.de Jump to article: www.golem.de/news/sonicwall-mfa-bypass-warum-gepatchte-sonicwall-vpns-die-mfa-weiter-durchlassen-2606-210118.html
-
Mastodon 4.6 adds profile Collections and two-factor controls
People who run accounts on the open source social network Mastodon can now group profiles together and share those groups across the web. The 4.6 release centers on a feature … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/06/19/mastodon-4-6-released/
-
Webinar: How attackers bypass MFA and how defenders can respond
Modern phishing attacks, including Device Code phishing, can undermine MFA protections and grant attackers access to corporate accounts without stealing passwords. This webinar explores how behavioral AI can help security teams detect compromised accounts faster and automate response workflows. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/webinar-how-attackers-bypass-mfa-and-how-defenders-can-respond/
-
Rekord-Datenleck: 24 Milliarden Zugangsdaten offen im Netz
Ein ungeschĂ¼tzter Server enthielt 24 Milliarden Zugangsdaten im Klartext. Laut Cybernews sind Milliarden Konten ohne Multi-Faktor-Authentifizierung bedroht. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/rekord-datenleck-24-milliarden
-
Why Account Takeovers Are Rising and How to Stop Them
Account takeovers are rising as attackers bypass traditional defenses through phishing, session hijacking, and MFA fatigue. Specops Software explores how device trust and continuous verification help reduce account takeover risk. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/why-account-takeovers-are-rising-and-how-to-stop-them/
-
Ghostwriter APT Uses Fake Gmail Login Panels to Steal Passwords and 2FA Codes
Ghostwriter (UNC1151) has escalated its long-standing phishing operations by deploying convincing fake Gmail login panels that harvest both passwords and two-factor authentication (2FA) codes, CERT Polska reports. The group historically focused on Polish email providers such as Onet, Wirtualna Polska and Interia shifted in March 2026 to high-volume Gmail-targeted campaigns. Attackers send professionally worded Polish-language…
-
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search.Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL…
-
Payroll Pirate Campaign Uses AiTM Session Hijacking to Bypass MFA and Redirect Salaries
A financially motivated campaign dubbed >>Payroll Pirate<< has emerged using advanced phishing and adversary-in-the-middle (AiTM) session hijacking to bypass multifactor authentication (MFA) and reroute payroll disbursements. This operation targets payroll and HR portals at mid-market and enterprise organizations, chaining credential theft, real-time session interception, and subtle profile changes to siphon funds without triggering conventional alarms.…
-
Experts say we should use passkeys, but can a smartphone PIN really be safer than a password?
The long-running series in which readers answer other readers’ questions explores a topical issue of personal cybersecurity<ul><li>Readers reply: <a href=”https://www.theguardian.com/lifeandstyle/2026/jun/07/readers-reply-alien-music-playlist-first-contact”>If an alien asked you: ‘What is music?’ what would you play for them?</li></ul>I’ve been struggling to get my head around the idea that a passkey, which can be a PIN on your phone, or facial…
-
New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams
Cybersecurity researchers are warning businesses about Pink Extortion Group, a threat actor that uses voice phishing to bypass multi-factor authentication and steal files from cloud environments. First seen on hackread.com Jump to article: hackread.com/pink-extortion-microsoft-365-cloud-data-vishing-scams/
-
FBI warnt vor Phishing-Plattform Kali365 – Kali365 missbraucht legitimen Microsoft-Flow um MFA zu umgehen
First seen on security-insider.de Jump to article: www.security-insider.de/kali365-phishing-microsoft-365-mfa-oauth-device-code-flow-a-4571206ba2a0d237ebb8bb01d289ff61/
-
Password manager Dashlane says hackers stole some customers’ password vaults
The password manager giant said hackers were able to ‘brute-force’ its two-factor system, allowing them to access customer accounts and download their password vaults. First seen on techcrunch.com Jump to article: techcrunch.com/2026/06/02/password-manager-dashlane-says-hackers-stole-some-customers-password-vaults/
-
Kali365 imitiert vermehrt Unternehmen wie Microsoft und Okta
Steven Campbell, Staff Threat Intelligence Researcher bei Arctic Wolf, ordnete kĂ¼rzlich die FBI-Warnung vor ‘Kali365″, eine Kampagne, die sich mittlerweile vom Phishing-Kit zu einer umfassenderen Phishing-as-a-Service-Plattform entwickelt hat, und aktuelle Entwicklungen rund um moderne Phishing-Angriffe ein. Kali365 war zunächst dadurch aufgefallen, dass sie den OAuth-Device-Authorization-Flow von Microsoft ausnutzte, um Authentifizierungs-Tokens zu stehlen und Multi-Faktor-Authentifizierung zu…
-
Meta’s AI Bot Misused by Hackers to Take Over Instagram Accounts
Attackers have exploited a critical vulnerability in Meta’s AI-powered Instagram support chatbot to hijack user accounts without needing passwords, phishing, or malware. Instead of bypassing security through technical exploits, hackers simply manipulated the chatbot via natural-language requests. Meta’s AI Bot Misused by Hackers The flaw allowed attackers to bypass two-factor authentication (2FA) effectively. By interacting…
-
Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
Password manager Dashlane has disclosed that “fewer than” 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack launched by an unknown party.On May 31, 2026, the company said an “external” threat actor launched a brute-force attack against certain Dashlane user accounts with the aim of breaking two-factor authentication…
-
Microsoft fixes outage affecting MFA setup, MySignIn service
Microsoft is working to address an ongoing incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outage-affecting-mfa-setup-mysignin-service/
-
Microsoft confirms outage affecting MFA, My Sign-Ins platform
Microsoft is working to address an ongoing incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/microsoft/microsoft-confirms-outage-affecting-mfa-my-sign-ins-platform/
-
FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts no password required
So, you’ve enabled multi-factor authentication. You’ve taught your staff never to type their passwords into dodgy-looking login pages. Surely your Microsoft 365 accounts are safe now? First seen on bitdefender.com Jump to article: www.bitdefender.com/en-us/blog/hotforsecurity/fbi-kali365-phishing-kit-breaks-microsoft-365-accounts-no-password-required
-
MFA Prompt Bombing: Why Your Second Factor Isn’t Saving You
Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn’t log in without the second factor. While that logic was sound, attackers have now figured out that they don’t need to steal the second factor: they just need the…
-
MFA Prompt Bombing: Why Your Second Factor Isn’t Saving You
Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn’t log in without the second factor. While that logic was sound, attackers have now figured out that they don’t need to steal the second factor: they just need the…
-
FBI warns of Kali365 phishing service targeting Microsoft 365 accounts
The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/
-
npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks
GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation.Called staged publishing, the feature is now generally available on npm. It mandates that a human maintainer pass a two-factor authentication…
-
Attackers exploit SonicWall VPN vulnerability to bypass MFA
First seen on scworld.com Jump to article: www.scworld.com/brief/attackers-exploit-sonicwall-vpn-vulnerability-to-bypass-mfa
-
FBI Warns of Kali365 Phishing Service Targeting Microsoft 365 Account
FBI warns of Kali365, a PaaS scam kit that lets cybercriminals bypass MFA and hijack Microsoft 365 accounts without passwords. First seen on hackread.com Jump to article: hackread.com/fbi-kali365-phishing-service-microsoft-365-account/
-
Microsoft 365 users targeted by new phishing threat that bypasses MFA
Microsoft 365 access tokens are being targeted by an emerging Phishing-as-a-Service (PhaaS) platform called Kali365, the FBI is warning. First observed in April 2026, Kali365 … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/05/22/kali365-microsoft-365-phishing-fbi-warning/
-
FBI Warns Kali365 PhaaS Platform Targets Microsoft 365 Users to Steal Logins
The U.S. Federal Bureau of Investigation (FBI) has issued a Public Service Announcement (Alert I-052126-PSA) warning about a newly identified Phishing-as-a-Service (PhaaS) platform named Kali365, which is actively targeting Microsoft 365 users. First observed in April 2026, the platform enables attackers to bypass multi-factor authentication (MFA) by exploiting OAuth-based authentication flows. Kali365 PhaaS Platform Targets Microsoft…
-
Mini Shai-Hulud Attack Prompts npm to Revoke 2FA-Bypass Tokens
npm has forced a platform-wide reset of granular access tokens that bypass two-factor authentication (2FA) after a wave of supply chain attacks linked to the “Mini Shai-Hulud” campaign compromised hundreds of JavaScript packages. The emergency action, rolled out on May 19, invalidated all npm tokens with write permissions that allowed publishing without 2FA. The move…
-
Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix
Attackers bypassed MFA on patched SonicWall Gen6 VPNs because admins missed extra manual steps required to fully fix the flaw. There is a particular kind of security failure that is harder to catch than an unpatched system: a patched system where the patch did not actually work because nobody followed all the steps. That is…