To be honest, I still don't exactly know how this tool works. What is clear to me is that apparently certain MFA methods don't protect against this, think of 2FA authenticator apps. So I suppose the new and upcoming Passkeys and the already widely used hardware keys like the ones from Google, Yubico and Feitian can block this? https://www.bleepingcomputer.com/ne...campaign-targets-120-000-microsoft-365-users/
Well, from my very simplistic pov, the target victim clicks on a phishing link in an email, and that starts the chain reaction towards getting pwned. at the end of the day, don't click on malicious links.
No correct, if you don't click on the link, you're fine. But what I meant is that apparently this link will lead to a fake website which actually mirrors the real website. So if you type in your password and the 2FA code, you will actually login into the real website, so everything looks just fine, but in the background the authentication cookie is stolen. But with many banks over here in Holland (ABN AMRO/ING), with each transaction you need to type in a 2FA code that is generated by a hardware device, so the hackers have no way to transfer money for example. Because they can't generate the 2FA code. So why not implement something like this with MS 365?
Other than user awareness to not click on unsolicited links, 2FA seems to be the best way, so far, to avoid these scams.
Yes, but only 2FA based on hardware devices like YubiKey, when securing webservices like MS 365. Or authenticators like DIGIPASS when securing online banking, see first link. But authentication apps like Google/MS Authenticator and Authy aren't good enough since they don't protect against phishing and cookie stealing. Actually, I now see that OneSpan even offers passwordless hardware authenticators, these are newly launched products, see second link. https://www.onespan.com/products/hardware-authentication/product-comparison https://www.onespan.com/products/digipass-cx
Yes correct, since it's based on FIDO. I still don't understand why they can't make 2FA authenticators compatible with FIDO.
