New Microsoft 365 Attack Can Break 2FA

Adding two-factor authentication (2FA) to your account security is always a good idea, but it's not insurmountable. Hackers are finding new ways to bypass these defenses and gain access to people's accounts. For example, a new phishing attack can access Microsoft 365 accounts even if the target has 2FA enabled.

Rockstar 2FA is stealing everyone's 2FA codes

The Rockstar 2FA phishing kit is a unique malicious toolkit that cybercriminals can buy on the black market for $200, Trustwave reports. It gives criminals everything they need to break into someone's Microsoft 365 account, even if they have 2FA enabled.

Here's how it works: A bad actor sends a phishing email asking the target to log in to their Microsoft 365 account. The email contains a link to a fake Microsoft 365 page, claims they've received a new document, or makes fake threats that must be resolved by accessing the account.

Typically, a phishing attack doesn't get much more complicated than this. But the Rockstar 2FA phishing kit has a trick up its sleeve: It acts as an adversary-in-the-middle (AITM). When a user enters their username and password into the fake login page, Rockstar 2FA passes the details to the legitimate Microsoft 365 login page.

Microsoft's servers verify the login process and ask Rockstar 2FA for a 2FA code. Rockstar passes this request on to the user, who completes the login process. Rockstar 2FA then steals the session cookie for the transaction, allowing the hacker to access the victim's account.

How to stay safe from Rockstar 2FA

Fortunately, while Rockstar 2FA is dangerous, it still relies on traditional phishing tactics to steal your account, so if you take the time to learn what phishing is and how to avoid it, you can avoid this dangerous attack.