Phishing Kit That Sidesteps Office 365 MFA

SessionShark: The Phishing Kit That Sidesteps Office 365 MFA

Security researchers at SlashNext have uncovered “SessionShark,” a new phishing kit for hire that steals Microsoft Office 365 session tokens and lets criminals bypass multi-factor authentication (MFA). Sold on underground markets, SessionShark spins up convincing fake Office 365 login pages. When a victim enters their credentials, the kit intercepts the username, password and—critically—the live session cookie, forwarding everything to the attacker via a Telegram bot. Possession of that cookie grants immediate account access without requiring the one-time passcode normally demanded by MFA. The kit is Cloudflare-ready, boasts a real-time dashboard for operators and is marketed “for educational use,” a thin veil for criminal intent. Experts warn the rise of such plug-and-play AiTM (adversary-in-the-middle) kits lowers the bar for large-scale token-theft campaigns and urge organisations to tighten phishing defences and monitor for suspicious cookie reuse.

A newly advertised hacking tool dubbed SessionShark is making life easier for cyber-criminals by stealing Office 365 session tokens and skating past multi-factor authentication.

How SessionShark Works
• Look-alike login pages – Victims land on a spoofed Office 365 site and enter their details.
• Token theft in real time – The kit grabs the live session cookie as well as the username and password.
• Telegram alerts – Stolen data is whisked to the attacker instantly through a Telegram bot.
• MFA rendered useless – With the cookie in hand, criminals log straight into the mailbox; no SMS code required.

Why It Matters
SessionShark is sold on dark-web forums complete with user support, highlighting a trend towards phishing-as-a-service. Its Cloudflare compatibility and anti-detection tweaks make takedowns harder and broaden the pool of would-be attackers.
Staying Safe
• Inspect URLs carefully before logging in.
• Use conditional access policies to spot cookie reuse from unusual locations.
• Layered email security and user training remain the best defence against AiTM phishing kits.
Even the best MFA strategy can be undermined if users are fooled at the first hurdle—make sure yours aren’t.