New Malware Kits Are Hijacking Your Logins Without You Ever Knowing

On a typical Tuesday morning, security engineers at a dozen major tech firms were sifting through logs when they noticed a disturbing pattern. A flood of authentication requests, all seemingly legitimate, were bypassing multi-factor protections with ease. The culprit, as confirmed in a report from BleepingComputer (@BleepinComputer), is a staggering 37-fold surge in device code phishing attacks, fueled by newly commoditized attack kits now circulating on dark web forums. This isn't a sophisticated nation-state play; it's a democratization of a powerful bypass technique, and the rollout for defenders has been anything but smooth.

The attack exploits a feature designed for convenience, like signing into an app on a smart TV. It generates a user code and a verification URL. Traditionally, phishing a password and a 2FA code required real-time interaction. Now, these new kits automate the process, presenting a fake login page that simply asks the victim to enter the provided user code. Once submitted, the attacker’s kit polls the service’s authentication endpoint relentlessly, waiting for the victim to approve the prompt on their legitimate device. The user sees a benign-looking “Enter code” prompt, not a password field, which significantly lowers suspicion. Internal documents from one cloud provider’s security team, reviewed by 813, show a 400% month-over-month increase in such fraudulent token issuance attempts targeting their platform.

Why this matters is its brutal efficiency against a cornerstone of modern security. Multi-factor authentication (MFA) is considered table stakes, but this method turns a strength into a vulnerability. Engineers close to the project say the kits are alarmingly user-friendly, lowering the barrier for entry for mid-tier criminal groups. The impact is already tangible, with several incidents of corporate email compromise and SaaS platform takeovers traced directly to these campaigns. The attacks are particularly effective in hybrid work environments where employees are conditioned to approve frequent authentication requests.

What happens next is a forced evolution in defensive posture. Simply relying on push-notification MFA is now insufficient. Security teams are scrambling to enforce number matching, where users must confirm a numeric code displayed on the sign-in screen, or to migrate to phishing-resistant FIDO2/WebAuthn security keys. The major identity providers are expected to accelerate deprecation plans for less secure MFA methods. However, the transition for large enterprises is slow, and the window of vulnerability remains wide open. The uncertainty lies in how quickly these criminal kits will evolve to bypass the newer protections, initiating yet another cycle in the relentless arms race between enterprise security and the offensive tools that target it.

Source: https://x.com/BleepinComputer/status/2040433690564501787