authentication

CyberheistNews Vol 16 #07 Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA

Phishing campaign bypassing M365 MFA detected, compromising accounts by exploiting OAuth 2.0 flows. Attackers trick users into authenticating on legitimate Microsoft domains, stealing access tokens for persistent access to data. Key sectors targeted include tech, manufacturing, and finance. Immediate mitigation requires auditing OAuth apps and reviewing email logs. Additionally, there’s discussion on automation in incident response, AI-driven email security, and the evolution of romance scams using deepfake technology. New voice phishing kits enable real-time control over attacks, raising concerns over email security gaps in organizations.

https://blog.knowbe4.com/cyberheistnews-vol-16-07-uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa

Massive Credential Leak Exposes 149 Million Stolen Logins for Gmail, Facebook, Netflix and More

Massive leak of 149 million stolen logins (including for Gmail, Facebook, Netflix) poses significant customer trust risks, revealing cybersecurity failures. Exposed data includes sensitive credentials linked to major services. This incident highlights the need for improved security measures and customer education on malware risks, as credential theft becomes industrialized. Brands must prioritize trust and proactive responses to protect customer experience amidst rising cyber threats.

https://www.cxtoday.com/security-privacy-compliance/massive-credential-leak-exposes-149-million-stolen-logins-for-gmail-facebook-netflix-and-more/

Nearly 800,000 Telnet Servers Exposed to Remote Attacks

Nearly 800,000 Telnet servers are vulnerable to remote attacks exploiting an authentication bypass flaw (CVE-2026-24061) in GNU InetUtils. This flaw allows attackers to gain root access without proper authentication. The vulnerability affects versions 1.9.3 to 2.7, with a patch available in version 2.8. Cybersecurity firm GreyNoise reports that limited exploit attempts have already begun following the vulnerability's disclosure. Admins are advised to disable Telnet services or block TCP port 23 if they cannot upgrade immediately.

https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/

Hackers Exploit Critical Telnetd Auth Bypass Flaw to Get Root

Hackers are exploiting a critical 11-year-old vulnerability in the GNU InetUtils telnetd server, allowing remote authentication bypass to gain root access. The flaw involves unsanitized environment variable handling, enabling attackers to set the USER variable to gain unauthorized access. Affected versions include 1.9.3 to 2.7, with a patch available in version 2.8. Despite the risk, many legacy systems still use Telnet, particularly in industrial sectors. Recent exploit activity was detected, but real-world impact appears limited. Immediate patching or mitigations are advised.

https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-telnetd-auth-bypass-flaw-to-get-root/

Inside GoBruteforcer: AI-Generated Server Defaults, Weak Passwords, and Crypto-Focused Campaigns

GoBruteforcer is a modular botnet that brute-forces passwords on Linux servers, targeting FTP, MySQL, and PostgreSQL services, exploiting AI-generated defaults and weak credentials. Over 50,000 servers may be affected. Its campaigns focus on cryptocurrency databases, utilizing common usernames and weak passwords derived from AI-generated configurations. The botnet operates through a two-part system: an IRC bot for command control and a bruteforcer for password attacks. Its success is bolstered by widespread internet exposure and legacy software vulnerabilities, particularly with misconfigured services like XAMPP. The botnet dynamically updates and expands its reach while targeting specific sectors, including crypto-related services, revealing significant risks in server security.

https://research.checkpoint.com/2026/inside-gobruteforcer-ai-generated-server-defaults-weak-passwords-and-crypto-focused-campaigns/

27 Malicious Npm Packages Used as Phishing Infrastructure to Steal Login Credentials

27 malicious npm packages were discovered in a phishing campaign targeting U.S. and allied organizations, primarily in sales and commercial sectors. The campaign utilized these packages to host phishing infrastructure, mimicking document-sharing portals and Microsoft sign-in pages, to steal login credentials from their targets. Attackers embedded client-side scripts to avoid detection and included checks to filter out bots. Notably, the campaign hard-coded specific email addresses of individuals in targeted firms, raising concerns about the source of this information. To mitigate risks, strong dependency verification, logging unusual CDN requests, enforcing phishing-resistant multi-factor authentication, and monitoring for suspicious activities are recommended.

https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

State-linked and Criminal Hackers Use Device Code Phishing Against M365 Users

State-linked hackers exploit device code phishing to target Microsoft 365 users, using techniques that impersonate legitimate access workflows. Groups from Russia and China lead recent attacks, employing tools like SquarePhish2 and Graphish phishing kits. This method involves users entering a device code, granting hackers access to their accounts. Cybersecurity firm Proofpoint notes the increased use of this tactic for attacks on various sectors, including government and education.

https://www.cybersecuritydive.com/news/state-linked-criminal-hackers-device-code-phishing-m365/808396/

Yep, Passkeys Still Have Problems

Passkeys still face significant issues in 2025, including vendor lock-in and usability challenges across different ecosystems. Users should engage with Credential Managers like Bitwarden, avoid relying solely on platform managers (Apple, Google, Microsoft), and consider Yubikeys for important accounts. The introduction of the FIDO Credential Exchange Specification offers some hope for transitioning between providers, but day-to-day usability remains problematic. Active user education on how Passkeys work and the benefits of robust Credential Managers is crucial to overcoming barriers to adoption. Miscommunication and forced options by service providers exacerbate user confusion and trust issues. Ultimately, a focus on user control and education is imperative to safely navigate the evolving landscape of digital security.

https://fy.blackhats.net.au/blog/2025-12-17-yep-passkeys-still-have-problems/

Microsoft 365 Users Targeted in Device Code Phishing Attacks

Microsoft 365 users are targeted by phishing attacks exploiting OAuth 2.0 device authorization. Attackers trick users into granting access tokens via emails with misleading content. Tools like Squarephish and Graphish facilitate these campaigns, allowing low-skilled actors to launch sophisticated attacks. Mitigation strategies include implementing Conditional Access policies to block or restrict device code flows.

https://www.helpnetsecurity.com/2025/12/18/microsoft-365-device-code-phishing/

New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale

TLDR: New phishing kits like BlackForce, GhostFrame, InboxPrime AI, and Spiderman use advanced tactics, including AI and MFA bypass, to steal credentials at scale. BlackForce targets brands, GhostFrame hides in iframes, InboxPrime automates email campaigns, and Spiderman replicates bank pages for European targets. These innovations make phishing attacks easier to execute and more difficult to detect.

https://thehackernews.com/2025/12/new-advanced-phishing-kits-use-ai-and.html

New ConsentFix Attack Hijacks Microsoft Accounts Via Azure CLI

ConsentFix attack hijacks Microsoft accounts via Azure CLI without passwords or MFA. It tricks users into submitting OAuth codes through a fake CAPTCHA on compromised sites, giving attackers full access to accounts using Azure authentication. Monitoring for unusual Azure CLI activity is recommended to detect this threat.

https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/

Scroll to Top