New Phishing Attack Steals Logins Even With Two-Factor Authentication On

What Happened

Microsoft recently exposed a sophisticated phishing campaign that successfully steals account access even when two-factor authentication is turned on. This attack uses fake workplace code of conduct notifications to trick employees into handing over their login credentials. The technique, called Adversary-in-the-Middle (AiTM) phishing, represents a significant escalation in cybercriminal capabilities.

The Details

Here's how this attack works. You receive an email that looks like it's from your company's HR department about reviewing an updated code of conduct or employee policy. The email appears legitimate and creates urgency, suggesting you need to review and acknowledge the document immediately.

When you click the link, you're taken to what looks exactly like your company's Microsoft login page. You enter your username and password. When prompted for your two-factor authentication code, you enter that too. Everything seems normal, and you might even see the document you expected.

What you don't see is the attacker sitting in the middle of this transaction. They're capturing everything in real time, including the special authentication token your browser receives after you successfully log in. This token is the digital key that proves you've already passed security checks. By stealing this token, attackers can access your account without needing your password or two-factor code again.

Who Is Affected

This campaign primarily targets working professionals who use Microsoft 365 for work. If you use Outlook, Teams, SharePoint, or OneDrive through your employer, you're a potential target. The attackers are specifically going after business accounts because they offer access to sensitive company data, financial information, and additional employee accounts.

Remote workers and hybrid employees face heightened risk. When you're not in the office, you're more likely to handle official communications through email alone, making it harder to verify whether that policy update is real.

What You Should Do Right Now

1. Never click links in unexpected emails about policy updates or required actions. Instead, open a new browser tab and go directly to your company portal or contact HR directly using a known phone number.

The Bigger Picture

This attack proves that two-factor authentication, while essential, isn't a magic shield. Cybercriminals are constantly adapting their techniques to overcome our defenses. The most effective protection combines technical safeguards with human awareness. Staying informed about evolving threats helps you recognize attacks that bypass traditional security measures. That's why regular cybersecurity education matters for everyone in your household, not just the tech-savvy members.

How GetCyberRight Can Help

Our GCR Scam Guard tool helps you identify suspicious links and phishing attempts before you click. When you're unsure whether an email is legitimate, Scam Guard analyzes the link and warns you about red flags that signal phishing attacks. It's an extra layer of protection that works alongside your existing security measures, giving you confidence before you click on anything unexpected.