authentication

Mirage2FA Phishing Kit Uses HTML Smuggling to Steal Microsoft 365 Credentials

Researchers at Fortra uncovered Mirage2FA, a phishing kit that uses HTML smuggling and obfuscated JavaScript to deploy fake Microsoft 365 login pages, tricking users into submitting credentials and multi-factor authentication details. The campaign employs business-themed lures and short-lived domains to carry out Microsoft 365 account takeovers, potentially exposing email, files, Teams messages, and other cloud resources. Users affected are advised to reset passwords, revoke sessions, review MFA methods, and check for unauthorized mailbox access.

https://www.helpnetsecurity.com/2026/06/26/mirage2fa-phishing-kit-microsoft-365-html-smuggling/

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

A China-linked threat group known as Velvet Ant backdoored critical Linux login software components PAM and OpenSSH to maintain covert access inside isolated networks for nearly a decade, starting from 2016. By altering trusted login programs themselves, the attackers bypassed traditional defenses, capturing credentials and commands without exploiting new malware, making the intrusion difficult to detect and remediate. Security experts recommend monitoring these login files for changes and verifying software integrity to detect and remove such stealthy backdoors effectively.

https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html

These Convincing Copyright Notices Are Designed to Steal Google Logins

A new phishing scam targets Chrome extension developers with fake copyright removal notices designed to steal Google login credentials. The scam uses publicly available extension information to create convincing personalized warnings and a fake Google sign-in window, pressuring victims to enter their credentials before a fabricated deadline. Developers are advised to verify warnings only through their Chrome Web Store dashboard and to safeguard accounts with strong authentication and security software.

https://www.malwarebytes.com/blog/threat-intel/2026/06/these-convincing-copyright-notices-are-designed-to-steal-google-logins

Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users

A critical vulnerability called FlagLeft was discovered in six major Microsoft 365 Android apps, where a debug flag left enabled in production allowed any app on the device to silently obtain valid Microsoft account tokens without user consent. This flaw exposed billions of users to account takeover risks, enabling attackers to access emails, files, and calendar data under the victim's identity; Microsoft has since patched the issue and urged users to update affected apps immediately.

https://cybersecuritynews.com/microsoft-365-android-apps-account-takeover-vulnerability/

Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Google disclosed that hackers have used artificial intelligence to develop the first known zero-day exploit capable of bypassing two-factor authentication (2FA) for mass exploitation. The zero-day vulnerability, implemented in a Python script with characteristics of AI-generated code, targets a popular open-source web-based administration tool and demonstrates how AI models are accelerating the discovery and weaponization of software vulnerabilities.

https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html

cPanel 0-Day Authentication Bypass Vulnerability Actively Exploited in the Wild

A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel & WHM has been actively exploited in the wild, allowing unauthenticated attackers to gain root-level access to hosting control panels. With a public proof-of-concept exploit released, cPanel has issued emergency patches and urged administrators to update immediately to prevent widespread compromise across millions of hosting accounts globally.

https://cybersecuritynews.com/cpanel-0-day-authentication-bypass-vulnerability/

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

Microsoft has confirmed active exploitation of a high-severity Windows Shell vulnerability (CVE-2026-32202) that allows unauthorized attackers to perform spoofing and access sensitive information. This zero-click exploit, linked to an incomplete patch for CVE-2026-21510 and used by the Russian state-sponsored group APT28, enables credential theft through automatic network authentication when victims open malicious Windows Shortcut files, highlighting ongoing risks despite recent patches.

https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html

No Exploit Needed: How Attackers Walk Through the Front Door Via Identity-Based Attacks

The article highlights that despite advances in cybersecurity threats, stolen credentials remain the most common and effective method attackers use to gain unauthorized access. It emphasizes the growing role of AI in accelerating these identity-based attacks and advocates for a dynamic, iterative incident response approach—DAIR—to effectively detect, contain, and eradicate threats.

https://thehackernews.com/2026/04/no-exploit-needed-how-attackers-walk.html

The Silent “Storm”: New Infostealer Hijacks Sessions, Decrypts Server-Side

A new infostealer named Storm, emerging in early 2026, steals browser credentials, session cookies, crypto wallets, and more by sending encrypted data to attackers' servers for decryption instead of decrypting locally, evading endpoint security detection. Storm automates session hijacking by restoring authenticated sessions remotely, enabling attackers to access SaaS platforms and cloud environments without triggering password alerts, and it is sold via tiered subscriptions on cybercrime forums.

https://www.bleepingcomputer.com/news/security/the-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side/

New VENOM Phishing Attacks Steal Senior Executives’ Microsoft Logins

Threat actors using a new phishing-as-a-service platform called VENOM have been targeting Microsoft logins of senior executives since at least last November. The attacks impersonate Microsoft SharePoint notifications with highly personalized emails and QR codes leading victims to sophisticated credential-harvesting pages that bypass traditional protections like MFA, highlighting the need for stronger authentication measures such as FIDO2 and stricter access policies.

https://www.bleepingcomputer.com/news/security/new-venom-phishing-attacks-steal-senior-executives-microsoft-logins/

New Alert: Hackers Hijack Corporate M365 Accounts With OAuth Device Codes

A recent surge in phishing attacks abuses Microsoft's OAuth Device Code flow, allowing hackers to hijack corporate Microsoft 365 accounts without stealing passwords by tricking victims into authenticating on legitimate Microsoft login pages. This token-based technique is difficult to detect with traditional tools and enables attackers to access sensitive corporate data, but solutions like ANY.RUN’s SSL decryption and interactive sandbox analysis provide earlier visibility and help security teams respond faster to these sophisticated threats.

https://cyberpress.org/new-alert-hackers-hijack-corporate-m365-accounts-with-oauth-device-codes/

Inside Tycoon2FA: How a Leading AiTM Phishing Kit Operated at Scale

The article analyzes Tycoon2FA, a phishing-as-a-service platform that enabled large-scale adversary-in-the-middle (AiTM) attacks capable of bypassing multifactor authentication. It explains how the service intercepted login credentials and session cookies through proxy phishing pages that mimicked services such as Microsoft 365 and Gmail. The platform included evasion techniques and user-friendly infrastructure, enabling less-skilled attackers to run campaigns that reached hundreds of thousands of organizations each month. The article concludes with guidance on layered defenses, including improved authentication methods, phishing detection, and coordinated disruption efforts. 

https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/

New AirSnitch Attack Bypasses Wi-Fi Encryption in Homes, Offices, and Enterprises

New research reveals a series of attacks, named AirSnitch, that bypass Wi-Fi encryption and client isolation, allowing attackers to intercept and manipulate data between connected clients. The attacks exploit vulnerabilities in the lowest levels of the network stack, specifically targeting the interaction between Layers 1 and 2. AirSnitch enables bidirectional man-in-the-middle attacks, potentially compromising sensitive data and enabling advanced cyberattacks.

https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/

Identity Verification Systems Are Struggling With Synthetic Fraud

Identity verification systems face issues with synthetic fraud as fake and expired IDs appear in transactions, especially in fast onboarding and remote transactions. Intellicheck's analysis of nearly 100 million transactions shows a 97.85% average verification success rate, concealing significant industry differences. Key fraud sources include expired credentials and synthetic identities, exacerbated by AI capabilities. Industries like alcohol retail and online-only banks exhibit the highest failure rates. Organizations are encouraged to focus on identity verification metrics to preempt fraud. The need for advanced, multi-layered verification technologies is emphasized as traditional methods fail to counteract evolving fraud tactics.

https://www.helpnetsecurity.com/2026/02/23/analysis-identity-verification-fraud-report/

Hackers Target Microsoft Entra Accounts in Device Code Vishing Attacks

Hackers are targeting Microsoft Entra accounts using device code phishing and voice vishing, compromising accounts through legitimate Microsoft OAuth flows without needing traditional phishing methods. This allows attackers to gain valid authentication tokens and access victims' accounts, enabling corporate data theft. The ShinyHunters gang is suspected to be behind these attacks, with recommendations for organizations to monitor OAuth apps, revoke suspicious consents, and consider disabling device code flows when unnecessary.

https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/

Scroll to Top