CyberWire Daily Don’t trust that app!
10 snips
Jan 3, 2026 Selena Larson, a staff threat researcher at Proofpoint, dives into the alarming world of MFA phishing. She outlines how threat actors impersonate legitimate services like Adobe using fake Microsoft OAuth apps, successfully stealing credentials through realistic phishing kits. Larson explains the mechanics of these attacks, including the methods used to bypass MFA and capture sensitive data. She concludes with recommendations for individuals and organizations to bolster security measures and stay vigilant against these evolving threats.
AI Snips
Chapters
Transcript
Episode notes
MFA Phishing Steals The Second Factor
- MFA phishing steals not only passwords but also the second-factor tokens or session data needed to access accounts.
- Attackers increasingly use phishing kits to capture MFA details in real time and bypass protections.
Business-Relevant Lures Lead To OAuth Pages
- Phishing emails used business-relevant lures like invoices, quotes, and shared documents to prompt clicks.
- Clicks led to fake Microsoft OAuth pages that request permissions then redirect to fake login pages to harvest credentials and MFA.
OAuth Consent Used As A Social-Engineering Step
- The malicious OAuth consent screen is used as a familiar step to lower suspicion before credential capture.
- Victims are routed to CAPTCHA and then to a convincing fake Microsoft login regardless of accepting or cancelling consent.