New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins
SessionShark phishing kit bypasses Office 365 MFA by stealing session tokens. Experts warn of real-time attacks via fake login pages and Telegram alerts.
SlashNext security experts have discovered a new tool called “SessionShark” used by cyber criminals to steal login information for Microsoft Office 365. This tool can bypass multi-factor authentication (MFA), a security feature that requires a phone code in addition to a password to add another layer of security.
SlashNext’s research, shared exclusively with Hackread.com, revealed that online advertisements for SessionShark were found on secret cybercrime networks, indicating the tool was designed to steal session tokens, which are special keys that allow users to stay logged in without having to enter their password every time. Once a criminal has this token, they can get into your Office 365 account even if you have MFA turned on, because the key proves you’ve logged in.
Researchers explained that by stealing this session cookie” attackers can bypass MFA controls and access the account without needing the one-time passcode.” This makes the extra security of MFA useless in this type of attack.
The creators of SessionShark are trying to sell it to other criminals by saying it’s “for educational purposes,” but security experts say this is just a way to hide what it’s really for. It is designed to aid criminals’ success.
For example, it can pretend to be a real Office 365 login page fooling users easily. It operates as an “adversary-in-the-middle” (AiTM) phishing kit. This means that when a victim tries to log in to Office 365 through a fake website created by SessionShark. It offers a logging panel for operators and integrates with a Telegram bot for real-time “Instant Session Capturing.” This allows threat actors to receive real-time alerts with the victim’s email, password, and session cookie the attacker secretly intercepts their username, password, and importantly, the session token, in real time.
Moreover, it works well with Cloudflare, a service that hides the real location of a website, making it harder for security teams to track down and shut down criminal operations. The tool also tries to avoid being noticed by threat intelligence systems, which are databases of known malicious websites and activities. SessionShark also allows criminals to quickly send stolen data directly to the attacker’s phone using Telegram allowing instant access.
According to SlashNext’s blog post, the way SessionShark is being sold shows a growing trend in cybercrime. Instead of just creating and using these tools themselves, criminals are now selling them to others as a service, complete with support and updates. This makes it easier for more people to carry out these kinds of attacks.
Security teams are now working to find ways to detect and block tools like SessionShark to protect users. Meanwhile, it is crucial to be very careful online, especially when entering your login information. Even with extra security like MFA, make sure you are on the real website before typing in your username and password.
