Microsoft's Office365 2FA/MFA Bypassed By SessionShark Attack

Microsoft’s Office365 multi-factor authentication (MFA) can now be bypassed using SessionShark, an adversary-in-the-middle (AiTM) phishing kit that steals session tokens. This attack renders 2FA useless by capturing authenticated session cookies, allowing attackers to hijack accounts without needing the one-time passcode.

Read the full report: SlashNext

You Should Know: How to Detect & Mitigate SessionShark Attacks

1. Detecting Suspicious Activity

Use these commands to monitor session tokens and logins:

Linux (Using `journalctl` for Auth Logs)

journalctl -u ssh --no-pager | grep "Failed password" 
grep "session opened" /var/log/auth.log

Windows (Check Event Logs for Unusual Logins)

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624, 4625} | Format-Table -AutoSize

2. Preventing Session Hijacking

Disable Legacy Authentication (Basic Auth) in Office365:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Enforce Conditional Access Policies (Azure AD):

New-AzureADPolicy -Definition @('{"ConditionalAccess":{"Enabled":true}}')

3. Monitoring Network Traffic for AiTM Attacks

Use Wireshark or tcpdump to detect unusual redirects:

tcpdump -i eth0 'port 443 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'

4. Revoking Stolen Sessions

In Azure AD, force sign-out all sessions:

Revoke-AzureADUserAllRefreshToken -ObjectId (Get-AzureADUser -SearchString "[email protected]").ObjectId

What Undercode Say

SessionShark proves that MFA alone isn’t enough—attackers evolve. Defenses must include:
– FIDO2/WebAuthn (phishing-resistant MFA)
– Network segmentation (restrict Office365 traffic)
– Behavioral analytics (UEBA tools)
– Strict cookie policies (HttpOnly, `Secure` flags)

Linux Admins: Use `fail2ban` to block brute-force attempts:

fail2ban-client set sshd banip <ATTACKER_IP>

Windows Admins: Enable LSA Protection against token theft:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1 -Force

Expected Output: A hardened environment where session hijacking is detected early and mitigated.

References:

Reported By: Charlescrampton Microsofts – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Microsoft’s Office365 2FA/MFA Bypassed by SessionShark Attack

1. Detecting Suspicious Activity

Linux (Using `journalctl` for Auth Logs)

Windows (Check Event Logs for Unusual Logins)

2. Preventing Session Hijacking

3. Monitoring Network Traffic for AiTM Attacks

Use Wireshark or tcpdump to detect unusual redirects:

4. Revoking Stolen Sessions

In Azure AD, force sign-out all sessions:

What Undercode Say

Linux Admins: Use `fail2ban` to block brute-force attempts:

Windows Admins: Enable LSA Protection against token theft:

Related Links:

References:

Join Our Cyber World:

Listen to this Post

1. Detecting Suspicious Activity

Linux (Using `journalctl` for Auth Logs)

Windows (Check Event Logs for Unusual Logins)

2. Preventing Session Hijacking

3. Monitoring Network Traffic for AiTM Attacks

Use Wireshark or tcpdump to detect unusual redirects:

4. Revoking Stolen Sessions

In Azure AD, force sign-out all sessions:

What Undercode Say

Linux Admins: Use `fail2ban` to block brute-force attempts:

Windows Admins: Enable LSA Protection against token theft:

Related Links:

References:

Join Our Cyber World:

Related Posts: