TLDR: Mutant Spider and Kali365 reset MFA via Teams help desk scams, then steal OAuth tokens for silent access. Regulators and incident data show password theft is sliding.
Key Takeaways:
- CrowdStrike tracks Mutant Spider as top financial services attacker, with voice phishing on Microsoft Teams driving new access patterns.
- Kali365 sold on Telegram for $250 per month captures Microsoft 365 OAuth device code tokens after victims authenticate normally.
- Verizon data shows vulnerability exploitation at 31% and credential abuse at 13%, so token and session monitoring must replace password centric defenses.
- Help desk MFA resets, OAuth device code flow, and token persistence all slip past traditional MFA monitoring in real environments.
Financial services built their frontline around passwords and MFA prompts, then attackers learned the help desk script and the token loophole. The next arms race is about sessions, not logins. đ
Financial services built their frontline around passwords and MFA prompts, then attackers learned the help desk script and the token loophole. The next arms race is about sessions, not logins. đ
Q&A
If MFA is working on the victim device, what does that mean for how teams should measure MFA effectiveness?
They should shift from counting MFA prompts to validating who can initiate sessions, whether device code grants were requested by approved workflows, and how refresh tokens behave over time.
Why did credential theft fall to 13% while compromises increased, without making MFA look worse in logs?
Because attackers are converting successful authentication into bearer tokens or social engineered resets. Password theft drops, but authorization abuse grows quietly.
What changes when attackers can sell access as subscriptions, like Kali365 does for $250 a month?
Attack quality spreads faster than defense. Organizations face the same token theft playbook repeatedly, so mitigations need to be policy and detection driven, not ad hoc.
How could conditional access and device controls be bypassed even after restricting the device code flow?
If help desk resets still lack out of band identity checks or if attackers can register managed like devices under permissive onboarding, the OAuth path can get replaced with another trusted session workflow.
What historically happens to budgets when the threat moves from credential theft to runtime authorization abuse?
Funding often lags because budgets track known categories like phishing or patching. The response usually accelerates only after teams can prove token usage detection reduces dwell time and lateral movement.
No comments yet. Be the first to share your thoughts!