MFA Bypass and Credential Theft Techniques Escalating
Key Questions
What is ConsentFix v3 and how is it used in MFA bypass attacks?
ConsentFix v3 is a technique that steals OAuth tokens after MFA authentication, allowing attackers to maintain access without credentials. It has been adopted by APT29 and is part of escalating credential theft methods.
How are AiTM proxy phishing kits impacting organizations?
AiTM proxy phishing kits have become commoditized, enabling widespread attacks that bypass traditional MFA. A recent massive password spray campaign involving 81 million attempts targeted Microsoft 365 environments.
What mitigation steps are recommended for MFA-related threats like Citrix Bleed 2?
Enterprises should enforce Token Protection policies and review MFA coverage across all cloud apps. The Anubis ransomware group has exploited Citrix Bleed 2 to bypass MFA before encryption, affecting 91 victims including 11 in June.
ConsentFix v3 uses OAuth token theft post-MFA, adopted by APT29. AiTM proxy phishing kits commoditized. Massive password spray (81M attempts) against M365. Now Anubis ransomware exploits Citrix Bleed 2 (CVE-2025-5777) to steal session tokens and bypass MFA, with 91 victims and a wiper module. Enterprises must enforce Token Protection policies, kill active sessions post-patch, and review MFA coverage across all cloud apps.