Warning: Phishing kits hijacking Microsoft 365 login sessions to bypass MFA
A phishing-as-a-service kit is being used to steal active Microsoft 365 login sessions, letting attackers bypass multi-factor authentication entirely and take over business email accounts.
The attack starts with a convincing phishing email or text that links to a fake Microsoft 365 login page, closely mirroring the real sign-in experience. Unlike older phishing pages that only steal a password, this kit sits between the victim and the real Microsoft servers, capturing the session token generated after the victim completes their normal login — including their multi-factor authentication step.
Because the attacker captures a live, already-authenticated session rather than just a password, they can log into the victim's real account without ever needing the MFA code again, often going undetected while they read email, reset other account passwords, or launch further attacks against the victim's contacts and employer. This bypasses one of the most commonly recommended account protections.
The FBI's IC3 is warning individuals and organizations to treat any unexpected Microsoft 365 login prompt reached via an emailed or texted link with suspicion, to verify URLs carefully before entering credentials, and for organizations to deploy phishing-resistant authentication methods and monitor for logins from unfamiliar locations or devices.
What to do
- Never log into Microsoft 365 via a link in an email or text — go directly to the official site
- Check the URL bar carefully for lookalike domains before entering any credentials
- Organizations should enable phishing-resistant MFA (such as security keys) where possible
- Monitor account sign-in logs for logins from unfamiliar locations, devices, or IP addresses
- If you suspect a session was hijacked, revoke all active sessions and reset your password immediately
- Report suspected phishing kits or compromises to the FBI's IC3 at ic3.gov