Phishing Campaign Bypasses MFA on Microsoft 365, Affecting Hundreds of Organizations Across 5 Countries
What Happened — A coordinated phishing operation leveraged a legitimate Microsoft 365 login feature to capture MFA codes, allowing attackers to obtain valid session tokens. The campaign was observed in five countries and compromised accounts at hundreds of organizations.
Why It Matters for TPRM —
- MFA bypasses undermine a core security control many third‑party risk programs rely on.
- Successful credential theft can lead to data exfiltration, ransomware deployment, or lateral movement within vendor environments.
- The attack surface includes any SaaS provider that integrates with Microsoft 365 for authentication.
Who Is Affected — Cloud‑based SaaS vendors, MSPs, and any enterprise that uses Microsoft 365 for email, collaboration, or identity management.
Recommended Actions —
- Review MFA implementation and enforce conditional access policies that limit the use of “remember me” or similar features.
- Conduct credential‑theft simulations and phishing awareness training for all users with Microsoft 365 access.
- Verify that logging and alerting for anomalous sign‑in locations and impossible‑travel events are enabled.
Technical Notes — The attackers employed a classic credential‑phishing email that directed victims to a spoofed Microsoft login page. Once the user entered their password, the page prompted for the MFA code, which was then relayed to the attacker in real time. No new CVE was disclosed; the technique exploits the legitimate “prompt for code” flow. Data types at risk include email content, SharePoint files, and Teams communications. Source: TechRepublic Security