Top

Latest Microsoft 365 attacks: connecting the dots

Cybersecurity is always changing, and the most recent round of attacks against Microsoft 365 accounts shows how advanced cyber threats have gotten. These attacks show a concerning trend, ranging from accessing unprotected accounts to using adversary-in-the-middle (AiTM) tactics. Attackers are changing the way vulnerabilities are targeted and exploited, not only taking advantage of flaws. Making the connections between these attacks, their methods, and their larger consequences is crucial to understanding these dangers.

The rise of adversary-in-the-middle tactics

The FlowerStorm campaign is a striking example of how adversary-in-the-middle (AiTM) tactics are challenging the effectiveness of multi-factor authentication (MFA). Phishing portals imitating Microsoft login pages are used by attackers to steal session cookies and user credentials. By effectively bypassing MFA, attackers can easily breach systems and move across different environments without drawing attention to themselves right away.

What makes FlowerStorm particularly alarming is its precision. It focuses on people and organisations located in the United States, showing how attackers target their strategies to have the greatest possible impact. The purpose of these intentional attacks goes well beyond credential theft, they are not accidental. Instead, FlowerStorm disrupts workflows and sensitive data by integrating attackers into systems in ways that are difficult to identify and even more difficult to remove.

The campaign reveals a profound change in the way attackers operate. Nowadays, breaking through technological barriers isn’t enough; you also need to take advantage of the presumptions that support them. Organisations must recognise this shift and adapt accordingly, moving away from traditional defences and toward systems that can withstand this new level of sophistication.

Phishing as a service: the Rockstar 2FA model

If AiTM tactics weren’t concerning enough, platforms like Rockstar 2FA are taking things a step further. Attackers can now bypass MFA more easily than ever before thanks to this Phishing-as-a-Service (PhaaS) solution. Rockstar 2FA reduces the technical barrier by enabling even inexperienced attackers to access high-value targets with tactics like session cookie harvesting and fake login pages.

The scalability of Rockstar 2FA is the real threat. This isn’t just a tool for a few skilled attackers; it’s a platform that democratises phishing, enabling attackers to target users at scale. This increases the difficulty of account security for businesses that use Microsoft 365. It shifts the point of view from “if” an attack will happen to “when” and “how prepared” the organisation will be.

The hidden threat of unmanaged accounts

The “G-Door” bypass, a flaw that takes advantage of ghost Google accounts connected to business domains, further complicates matters. Attackers can obtain unauthorised access to corporate environments by using these accounts to get around Conditional Access restrictions and other security controls. The core of this issue lies in human behaviour; for example, employees creating personal accounts with work emails often accidentally open doors for attackers.

This vulnerability highlights a cybersecurity feature that is often overlooked. Although regulations and technology are meant to protect managed systems, they do not apply to unsupervised environments. Because of this, attackers have minimal difficulty working in these grey regions, putting organisations at risk that they may not have been aware of.

The G-Door exploit is a clear reminder that effective cybersecurity goes beyond tools and policies. It requires a comprehensive strategy that takes into account both the human elements that contribute to technical vulnerabilities and their causes.

Connecting the dots: the bigger picture

What ties these attacks together is a shared exploitation of trust: trust in MFA, trust in cloud platforms like Microsoft 365, and trust in user behaviour. These examples show how the threat landscape has changed, with attackers now focused on the core presumptions that support modern security measures. Whether using AiTM tactics to get around MFA or taking advantage of unsupervised accounts, these strategies go against the norm about what it means to be secure.

This involves reconsidering the overall security strategy rather than merely patching flaws. Examples of solutions that are now necessary include proactive user awareness, enhanced monitoring, and authentication that is resistant to artificial intelligence. Organizations must also change their culture to make security a shared responsibility rather than a specialized role. Businesses must see security as an ongoing effort rather than a fixed solution if they want to successfully handle these risks.

Looking ahead: a Call to adopt

The attempts to take over Microsoft 365 accounts should serve as a harsh reminder to everyone. Once thought to be a strong line of defence, traditional MFA is currently failing to keep up with more sophisticated strategies like those employed in the FlowerStorm and Rockstar 2FA campaigns. Adopting AiTM-resistant authentication methods, such as FIDO2 tokens, is essential to ensuring that session cookies are hard to misuse.

It has never been more important to have visibility into user activity beyond authentication. Organizations must use tools like Cloud Access Security Brokers (CASBs) and AI-powered monitoring to spot anomalies like suspicious login attempts or unauthorized use of business domains. By implementing these strategies, security teams may close the loopholes that vulnerabilities such as G-Door take advantage of.

Lastly, the foundation of any successful defence plan is user training. Employees need to be aware of how their behaviours, such as using work email addresses to create personal accounts, may expose their companies. The question is no longer whether organizations can prevent every attack because they can’t. Understanding these threats, reacting to them, and staying ready for what comes next are the first steps on the path to resilience.

Kristi Shehu is a Cyber Security Engineer (Application Security) and Cyber Journalist based in Albania. She lives and breathes technology, specializing in crafting content on cyber news and the latest security trends, all through the eyes of a cyber professional. Kristi is passionate about sharing her thoughts and opinions on the exciting world of cyber security, from breakthrough emerging technologies to dynamic startups across the globe.