CyberheistNews Vol 16 #07 Uncovering the Subtle Phishing Marketing campaign Bypassing M365 MFA

Uncovering the Subtle Phishing Marketing campaign Bypassing M365 MFA

KnowBe4 Menace Labs has detected a complicated phishing marketing campaign focusing on North American companies and professionals. This assault compromises Microsoft 365 accounts (Outlook, Groups, OneDrive) by abusing the OAuth 2.0 Gadget Authorization Grant stream, bypassing robust passwords and Multi-Issue Authentication (MFA).

The sufferer is directed to a authentic Microsoft area to enter an assault equipped gadget code. This motion authenticates the sufferer and points a legitimate OAuth entry token to the attacker’s utility. The true-time theft of those tokens grants the attacker persistent entry to the sufferer’s Microsoft 365 accounts and company information.

Key Takeaways: Marketing campaign at a Look

• Novel Assault Mechanism: This marketing campaign bypasses conventional safety by not stealing credentials. As an alternative, it methods the consumer into authenticating on the authentic Microsoft area, after which polls the token endpoint to seize the OAuth Entry and Refresh tokens.
• Multi-Issue Authentication (MFA) Bypass: The assault is extremely efficient because the token theft happens after the consumer efficiently completes their authentic MFA problem.
• Concentrating on: The marketing campaign is lively and ongoing (first noticed December 2025), is extremely concentrated in North America (with 44%+ of victims within the U.S.), and is notably focusing on the tech, manufacturing and monetary companies sectors.
• Main Impression: The stolen tokens grant attackers intensive, persistent entry to the Microsoft 365 surroundings, together with full learn/write/ship capabilities for Electronic mail, Calendar and Information (OneDrive/SharePoint), and administrative features.
• Speedy Mitigation: Key defenses embody urgently auditing not too long ago consented OAuth functions, looking e-mail logs for particular sender and topic patterns, and for IT/Admin groups, contemplating the disabling of the gadget code stream by way of Conditional Entry insurance policies.

Weblog submit with screenshots of the prison workflow:
https://weblog.knowbe4.com/uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa

Automate Incident Response and Maximize SOC Effectivity

Your safety staff is drowning in alerts, and threats are slipping by. With SOC groups dealing with greater than 4,400 every day alerts, over 40% of that are false positives, the overwhelming majority of organizations are drowning in backlogs.

The end result? A five-hour response hole that leaves threats sitting in your workers’ inboxes for days or perhaps weeks. Cease playing with unaddressed alerts with expertise that collapses the time-to-containment from hours to minutes.

Throughout this demo, you will uncover how PhishER Plus eliminates the damaging vulnerability window between menace detection and containment by combining triple-validated menace intelligence with human oversight:

• Speed up Response occasions with AI-powered automation that means that you can code customized guidelines in plain-English, cut back handbook e-mail evaluate time by as much as 99%, and eliminates alert fatigue
• Leverage unmatched menace intelligence from 13+ million world customers, KnowBe4 Menace Analysis Lab, and main third-party integrations, catching zero-day threats that bypass SEGs and different ICES defenses
• Keep full visibility and management over AI-driven selections with PhishML Insights, eliminating black-box uncertainty and lowering false positives that waste $875K yearly
• Take away threats mechanically from all mailboxes with International PhishRIP earlier than customers can work together with them, eliminating the danger of workers in any other case falling for the assault
• Convert actual assaults into focused coaching alternatives with PhishFlip, reinforcing vigilant worker habits whereas showcasing safety consciousness gaps

Uncover how PhishER Plus clients obtain 650% ROI inside the first 12 months. Remodel your workers into your Most worthy defenders whereas assembly SOC effectivity targets.

Date/Time: TOMORROW, Wednesday, February 18 @ 2:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/phisher-demo-2?partnerref=CHN2

Love within the Age of AI – Why 2026 Romance Scams are Nearly Inconceivable to Spot

By Roger Grimes

A heads-up about at the moment’s Valentines Day scams…

Valentine’s Day is often a time for flowers and candlelight, however in recent times the digital relationship panorama has shifted from a spot of hope to a high-tech minefield. Whereas “catfishing” was as soon as the first concern for on-line daters, 2026 has ushered in a extra sinister period: the fully AI-enabled romance rip-off.

The times of recognizing a scammer by damaged English or blurry pictures are formally over. At this time’s scammers aren’t simply folks behind keyboards; they’re AI-powered enterprises utilizing deepfake expertise to interrupt hearts and financial institution accounts.

The Evolution of the Rip-off – From Stolen Images to Deepfake FaceTime
For years, the gold customary for verifying a web-based match was the customized photograph request: “Ship me a selfie holding at the moment’s newspaper.” In 2026, that check is lifeless. Scammers can now immediately generate a picture of themselves in any location or holding any object. Media alone is now not proof of id.

The deception goes even deeper than static pictures. Scammers are actually utilizing:

• Deepfake Video Calls – Actual-time face-swapping and AI voice synthesis imply {that a} video name along with your new love curiosity is now not a assure of security.
• AI Personas – Automated bots are actually able to sustaining deep, emotional and visually convincing relationships over a number of months, constructing a degree of belief that feels indistinguishable from an actual human connection.
• The Movie star Lure – By masquerading as well-known figures, scammers exploit the emotional funding followers have, generally even main victims to take out second mortgages or alienate members of the family to “assist” their idol.

[CONTINUED] On the Knowbe4 Weblog
https://weblog.knowbe4.com/love-in-the-age-of-ai-why-2026-romance-scams-are-almost-impossible-to-spot

[Live Demo] Cease Inbound and Outbound Electronic mail Threats

With over 376 billion emails despatched every day, your group faces unprecedented dangers from Enterprise Electronic mail Compromise (BEC), misdirected delicate communications and complex AI-driven phishing assaults.

The human component, concerned within the overwhelming majority of knowledge breaches, contributes to email-based threats that price organizations like yours hundreds of thousands yearly.

Uncover how one can cease as much as 97% extra assaults and uncover 10x extra potential information breaches in your Microsoft 365 surroundings earlier than they occur.

Be a part of our stay demo to see how KnowBe4’s Cloud Electronic mail Safety seamlessly integrates into Microsoft 365 to boost its native safety whereas offering the instruments wanted to establish dangerous communications earlier than they result in breaches.

See KnowBe4’s Cloud Electronic mail Safety in motion as we present you the right way to:

• Defend your group towards subtle inbound threats together with BEC, provide chain assaults and ransomware
• Forestall pricey outbound errors with real-time alerts that cease misdirected emails and unauthorized file sharing
• Implement data boundaries that preserve you compliant with business rules
• Detect and block information exfiltration makes an attempt earlier than delicate data leaves your group
• Customise incident response workflows to match your safety staff’s wants

Strengthen your safety posture with AI-native clever e-mail safety that reduces human-activated threat and safeguards your group from inbound and outbound threats.

Date/Time: Wednesday, February 18 @ 1:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/ces-demo-month-2?partnerref=CHN2

Voice Phishing Kits Give Menace Actors Actual-Time Management Over Assaults

Researchers at Okta warn {that a} sequence of phishing kits have emerged which are designed to assist menace actors launch subtle voice phishing (vishing) assaults that may bypass multifactor authentication.

“Essentially the most crucial of those options are client-side scripts that enable menace actors to regulate the authentication stream within the browser of a focused consumer in real-time whereas they ship verbal directions or reply to verbal suggestions from the focused consumer,” Okta says.

“It is this real-time session orchestration that delivers the plausibility required to persuade the menace actor’s goal to approve push notifications, submit one time passcodes (OTP) or take different actions the menace actor must bypass MFA controls.”

The phishing kits enable attackers to information the sufferer by the assault stream, which proceeds as follows:

• “The menace actor performs reconnaissance on a goal, studying the names of customers, the apps they generally use and cellphone numbers utilized in IT assist calls;
• The menace actor units a personalized phishing web page stay and calls focused customers, spoofing the cellphone variety of the corporate or its assist hotline;
• The menace actor convinces the focused consumer to navigate of their browser to the phishing web site below the pretext of an IT assist or safety requirement;
• The focused consumer enters their username and password, which is mechanically forwarded to the menace actor’s Telegram channel;
• The menace actor enters the username and password into the authentic sign-in web page of the focused consumer and assesses what MFA challenges they’re offered with;
• The menace actor updates the phishing web site in real-time with pages that assist their verbal ask for the consumer to enter an OTP, settle for a push notification or different MFA challenges.”

Moussa Diallo, menace researcher at Okta Menace Intelligence, acknowledged, “When you get into the driving force’s seat of considered one of these instruments, you possibly can instantly see why we’re observing greater volumes of voice-based social engineering.

“Utilizing these kits, an attacker on the cellphone to a focused consumer can management the authentication stream as that consumer interacts with credential phishing pages. They will management what pages the goal sees of their browser in good synchronization with the directions they’re offering on the decision. The menace actor can use this synchronization to defeat any type of MFA that’s not phishing-resistant.”

KnowBe4 empowers your workforce to make smarter safety selections day by day. Over 70,000 organizations worldwide belief the KnowBe4 HRM+ platform to strengthen their safety tradition and cut back human threat.

Weblog submit with hyperlinks:
https://weblog.knowbe4.com/voice-phishing-kits-give-threat-actors-real-time-control-over-attacks

Are You Able to Exchange Your SEG?

Whilst you’ve invested in safe e-mail gateways (SEGs), a staggering 94% of organizations nonetheless expertise e-mail safety incidents. It is time to consider whether or not your SEG is delivering the safety you want.

This whitepaper explores why 87% of cybersecurity leaders are actually seeking to substitute their SEGs with a contemporary, built-in safety stack.

This important information for CISOs gives data-driven insights and a strategic framework for evaluating your e-mail safety structure. Uncover:

• An evaluation of the superior phishing assaults which are persistently bypassing SEGs, together with a 47% enhance in assaults getting by detection
• Why static, rules-based Knowledge Loss Prevention (DLP) is ineffective at mitigating information exfiltration and misdirected emails attributable to human error
• The way to leverage Microsoft 365 native controls mixed with an AI-driven Built-in Cloud Electronic mail Safety (ICES) resolution to cease superior inbound and outbound threats
• Key concerns for assessing your present e-mail safety structure and figuring out if it is time to substitute your SEG

Obtain the whitepaper now:
https://information.knowbe4.com/ready-to-replace-seg-wp-chn

Let’s keep protected on the market.

Heat regards,

Stu Sjouwerman, SACP
Govt Chairman
KnowBe4, Inc.

PS: [NEW PAGE] We Practice People and AI Brokers. Socially engineered or immediate engineered? It’s all human threat.
https://www.knowbe4.com/training-humans-ai-agents

You’ll be able to learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-16-07-uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa

Callback Phishing and BEC Assaults Surged in This autumn 2025

Callback phishing scams surged by 500% final quarter, accounting for 18% of all phishing exercise, in accordance with VIPRE’s Electronic mail Menace Traits Report for This autumn 2025. Callback phishing assaults try to trick the sufferer into calling a cellphone quantity and talking with the scammer straight, permitting the assault to bypass technical safety controls.

Moreover, the researchers discovered that enterprise e-mail compromise (BEC) makes an attempt accounted for 51% of rip-off e-mail assaults.

“For an additional consecutive quarter in a row, Impersonation was the dominant BEC e-mail sort, accounting for 82% of the full BEC circumstances,” VIPRE says. “Diversion, or sending faux invoices or payroll requests, accounts for the remaining 18%.

“In This autumn, probably the most steadily impersonated roles had been CEOs and senior executives, comprising 50% of impersonation-based BEC emails, or 41% of complete BEC emails general.”

The researchers add, “This says one thing attention-grabbing in regards to the corporations which are being focused. For a CEO to make a direct request relating to the switch of funds, the group should be sufficiently small to have intimacy inside the hierarchy for that to make sense.

“Or the individual being focused should be excessive sufficient within the firm to not regard such a proposal from the very best officer uncommon. Smaller corporations with flat organizational buildings, startups with shut executive-employee relationships, and monetary officers in shut contact with the CEO, CFO or C-suite needs to be particularly cautious.”

The report discovered that the manufacturing business was probably the most steadily focused by email-based assaults, adopted by the monetary and healthcare sectors.

AI-powered safety consciousness coaching can provide your workers a wholesome sense of suspicion to allow them to keep away from falling for evolving social engineering assaults.

VIPRE has the story:
https://finance.yahoo.com/information/cybercriminals-key-attack-vector-trust-140000020.html

Report: AI-Pushed Fraud Surged by 1200% in December 2025

AI-driven fraud assaults spiked by greater than 1200% in December 2025, in accordance with a brand new report by Pindrop Safety. Menace actors are utilizing AI to help in each stage of the assault, from deploying bots to conduct reconnaissance to utilizing deepfakes to trick people.

“In keeping with Pindrop inside information, AI fraud (or non-live fraud) surged 1210% by December 2025,” the researchers write. “From this, it is clear that attackers are rebuilding their operations round AI. However why? As a result of it is cheaper, quicker, tougher to detect and startlingly scalable.

“With automated fashions, at the moment’s attackers do not get drained, do not act on emotion and do not reuse the identical face or voice twice. Attackers can practice fashions with rigor, and as soon as skilled, these fashions work continuous to take advantage of your vulnerabilities.”

Whereas these assaults are focusing on all sectors, Pindrop highlights the healthcare and retail industries as dealing with specific variations of AI-driven fraud. The researchers noticed one main healthcare supplier that acquired 15,000 fraudulent bot calls for the reason that summer time of 2025, whereas the retail sector noticed a 330% surge in AI fraud starting in November.

“Each business experiences the ache in a different way, however the fraudster’s playbook is strikingly constant,” the researchers clarify. “In healthcare, bots flood contact facilities for recon, aiming to take over affected person accounts and acquire entry to HSA and FSA funds.

“In retail, AI-backed schemes exploit return insurance policies—with micro-transactions compounding to large losses. Inside company channels, AI-generated movies and voices impersonate job candidates to achieve system entry or high-level executives to execute social engineering scams.

“The ways differ, however the basis is similar: convincing, subtle AI-backed schemes.”

Infosecurity Journal has the story:
https://www.infosecurity-magazine.com/information/ai-voice-virtual-meeting-fraud/

What KnowBe4 Clients Say

“I needed to share some very constructive suggestions about Victoria S., who labored as CSM on the challenge we ran collectively.

“Working together with her was a superb expertise. Each time I had a query, she obtained again to me shortly and clearly. Greater than that, she really listened to what I wanted and went out of her manner to assist me ship the very best final result for my finish buyer.

“This type of perspective makes all of the distinction within the day-to-day of a challenge, and I assumed it was necessary so that you can understand how a lot she contributed.”

– A.C., Safety Engineer