Cyber Security experts have raised concerns about a new phishing tool known as “SessionShark,” which poses a significant threat to users of Microsoft Office 365. This tool has the ability to bypass multi-factor authentication (MFA), a security measure that adds an extra layer of protection by requiring users to input a phone code in addition to their password.
The discovery of SessionShark was made by SlashNext security experts, who uncovered online advertisements for the tool on underground cybercrime networks. These ads indicated that SessionShark is specifically designed to steal session tokens, which are unique keys that enable users to remain logged in without the need to re-enter their password every time they access their account. With access to this token, cyber criminals can infiltrate an Office 365 account even if MFA is enabled, as the token serves as proof of previous login activity.
By exploiting this session token, attackers can circumvent MFA controls and gain unauthorized access to the targeted account without the need for a one-time passcode. This renders the additional security layer provided by MFA ineffective in preventing such attacks.
Although the creators of SessionShark claim that the tool is intended for educational purposes, security experts believe that this is merely a facade to conceal its true malicious intent. The tool is designed to facilitate criminal activities and enhance the success rate of cyber attacks.
SessionShark operates as an adversary-in-the-middle (AiTM) phishing kit, masquerading as a legitimate Office 365 login page to deceive unsuspecting users. It features a logging panel for operators and integrates with a Telegram bot for real-time “Instant Session Capturing,” enabling threat actors to receive immediate alerts containing stolen user credentials and session cookies. This real-time interception of login information poses a significant risk to user data security.
Furthermore, SessionShark is designed to work seamlessly with Cloudflare, a service that obfuscates the true location of a website, making it challenging for security teams to trace and shut down illicit operations. The tool also employs tactics to evade detection by threat intelligence systems that identify and blacklist malicious websites and activities. Additionally, SessionShark enables cyber criminals to quickly transmit stolen data to their devices via Telegram, facilitating rapid access to pilfered information.
Security experts have noted a troubling trend in cybercrime, as criminals are now selling tools like SessionShark as a service to other malicious actors, complete with ongoing support and updates. This commodification of cyber attack tools makes it easier for a wider range of individuals to engage in cyber criminal activities.
In response to the increasing threat posed by tools like SessionShark, security teams are actively researching ways to detect and block such malicious tools to safeguard user data. It is imperative for users to exercise caution and vigilance when sharing their login information online, even when utilizing additional security measures like MFA. Verifying the authenticity of websites before entering sensitive data is crucial in mitigating the risk of falling victim to phishing attacks.