Skip to content

“Educational” toolkit for evading Microsoft Office 365 MFA being sold online

  • by
  • 3 min read

Hackers are selling a phishing-as-a-service (PhaaS) toolkit called SessionShark 0365 2FA/MFA on underground hacking forums. This toolkit, intended for use only in educational purposes, can be used to steal user session tokens and bypass two-factor authentication on Office 365 accounts.

The ad, spotted by SlashNext researchers, claims that the toolkit can “intercept sensitive data, including login credentials and session cookies”. Other capabilities include evasion of bots and automated security scanners, Cloudflare compatibility for VPS IP protections, detection evasion from major threat intelligence tools and anti-phishing systems, and dynamic changes to the phishing page for increased believability.

This is an image of sessionshark primary interface
Primary interface of the SessionShark phishing kit. | Source: SlashNext

Threat evasion is handled by custom scripts and HTTP headers that minimise the script’s visibility to security programs. The kit likely blocks known threat intelligence crawlers using “evasive HTML/JS code (to prevent signature-based detection), or dynamically change content,” according to SlashNext’s report.

The phishing pages also have a set of scripts to make them as convincing as possible. Given the threat actors’ claims of the page dynamically adapting to “various conditions,” it’s likely that the pages handle different login workflows and error messages as well.

Last but not least, the toolkit includes a logging panel and Telegram integration for its operators. This feature lets hackers receive stolen credentials and session tokens in real time on Telegram, a rather convenient way of data extraction and one that’s popular in similar phishing kits.

This is an image of sessionshark terms of service
Terms of service free creators from legal responsibility. | Source: SlashNext.

The “educational” tag also doesn’t mean anything. The disclaimer is only to absolve the creators of any responsibility should someone using the kit get in trouble with law enforcement. SessionShark has a well-defined terms of service document that clearly states that the creators of the kit don’t take responsibility for any damage caused by the toolkit. Additionally, if someone is caught using the kit for malicious purposes, their account will be suspended without a refund.

In the News: Cybercriminals are using the Pope’s death to preach malware

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of data breach cyber security 239847238978

Lazarus threat actors breach six South Korean companies

This is an image of dark web hacker security

Cybercriminals are using the Pope’s death to preach malware

This is an image of phishing featured storyblocks

North Korean IT workers are using deepfakes to get jobs

This is an image of cisco 3289sd

Cisco confirms several products affected by RCE flaw

This is an image of telecom tower

South Korea’s biggest telco discloses data breach

This is an image of chatgpt featured 21324132

Washington Post partners with OpenAI to ensure ChatGPT gets news right

>