Cybersecurity experts have identified a phishing kit called “SessionShark” that can bypass Office 365’s multi-factor authentication (MFA). This tool steals session tokens, allowing attackers to access accounts without needing the additional passcode MFA requires. SessionShark is marketed within criminal networks, claiming to be for educational purposes while actually designed for malicious use. It enables threat actors to intercept login credentials and session cookies, bypassing MFA protections by targeting session tokens that validate previous logins.
The SessionShark tool functions as an “adversary-in-the-middle” phishing kit, creating fake login pages that deceive users. When a victim attempts to sign in, SessionShark captures their credentials and session token in real time. This intercepted data is sent to the attacker via Telegram, allowing immediate access to the compromised account.
The tool also integrates with Cloudflare to conceal the attacker’s location, making it harder for security teams to identify and stop the operations.
SessionShark’s creators are leveraging its capabilities to sell it as a service to other cybercriminals. Instead of using these tools directly, criminals are now distributing them, making it easier for more attackers to execute these phishing schemes. The tool provides updates and support, enhancing its utility in widespread cyberattacks. This shift toward offering malicious tools as services underscores the evolving nature of cybercrime, where tools and expertise are being commercialized.
Security experts are focusing on detecting and blocking such tools to protect users from these increasingly sophisticated phishing attacks.
Users are urged to remain vigilant when entering login information online, even when MFA is enabled. Ensuring that they are on the legitimate website before entering credentials is crucial in preventing these types of attacks.
