Uncovering the Sophisticated Phishing Campaign Bypassing M365 MFA
KnowBe4 Threat Labs has detected a sophisticated phishing campaign targeting North American businesses and professionals. This attack compromises Microsoft 365 accounts (Outlook, Teams, OneDrive) by abusing the OAuth 2.0 Device Authorization Grant flow, bypassing strong passwords and Multi-Factor Authentication (MFA).
The victim is directed to a legitimate Microsoft domain to enter an attack supplied device code. This action authenticates the victim and issues a valid OAuth access token to the attacker’s application. The real-time theft of these tokens grants the attacker persistent access to the victim’s Microsoft 365 accounts and corporate data.
Key Takeaways: Campaign at a Glance
- Novel Attack Mechanism: This campaign bypasses traditional security by not stealing credentials. Instead, it tricks the user into authenticating on the legitimate Microsoft domain, and then polls the token endpoint to capture the OAuth Access and Refresh tokens.
- Multi-Factor Authentication (MFA) Bypass: The attack is highly effective as the token theft occurs after the user successfully completes their legitimate MFA challenge.
- Targeting: The campaign is active and ongoing (first observed December 2025), is highly concentrated in North America (with 44%+ of victims in the U.S.), and is notably targeting the tech, manufacturing and financial services sectors.
- Major Impact: The stolen tokens grant attackers extensive, persistent access to the Microsoft 365 environment, including full read/write/send capabilities for Email, Calendar and Files (OneDrive/SharePoint), and administrative functions.
- Immediate Mitigation: Key defenses include urgently auditing recently consented OAuth applications, searching email logs for specific sender and subject patterns, and for IT/Admin teams, considering the disabling of the device code flow via Conditional Access policies.
Blog post with screenshots of the criminal workflow:
https://blog.knowbe4.com/uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa
Automate Incident Response and Maximize SOC Efficiency
Your security team is drowning in alerts, and threats are slipping through. With SOC teams facing more than 4,400 daily alerts, over 40% of which are false positives, the vast majority of organizations are drowning in backlogs.
The result? A five-hour response gap that leaves threats sitting in your employees’ inboxes for days or weeks. Stop gambling with unaddressed alerts with technology that collapses the time-to-containment from hours to minutes.
During this demo, you’ll discover how PhishER Plus eliminates the dangerous vulnerability window between threat detection and containment by combining triple-validated threat intelligence with human oversight:
- Accelerate Response times with AI-powered automation that allows you to code custom rules in plain-English, reduce manual email review time by up to 99%, and eliminates alert fatigue
- Leverage unmatched threat intelligence from 13+ million global users, KnowBe4 Threat Research Lab, and leading third-party integrations, catching zero-day threats that bypass SEGs and other ICES defenses
- Maintain complete visibility and control over AI-driven decisions with PhishML Insights, eliminating black-box uncertainty and reducing false positives that waste $875K annually
- Remove threats automatically from all mailboxes with Global PhishRIP before users can interact with them, eliminating the risk of employees otherwise falling for the attack
- Convert real attacks into targeted training opportunities with PhishFlip, reinforcing vigilant employee behavior while showcasing security awareness gaps
Discover how PhishER Plus customers achieve 650% ROI within the first year. Transform your employees into your most valuable defenders while meeting SOC efficiency targets.
Date/Time: TOMORROW, Wednesday, February 18 @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/phisher-demo-2?partnerref=CHN2
Love in the Age of AI – Why 2026 Romance Scams are Almost Impossible to Spot
By Roger Grimes
A heads-up about today’s Valentines Day scams…
Valentine’s Day is usually a time for flowers and candlelight, but in recent years the digital dating landscape has shifted from a place of hope to a high-tech minefield. While “catfishing” was once the primary concern for online daters, 2026 has ushered in a more sinister era: the completely AI-enabled romance scam.
The days of spotting a scammer through broken English or blurry photos are officially over. Today’s scammers aren’t just people behind keyboards; they are AI-powered enterprises using deepfake technology to break hearts and bank accounts.
The Evolution of the Scam – From Stolen Photos to Deepfake FaceTime
For years, the gold standard for verifying an online match was the custom photo request: “Send me a selfie holding today’s newspaper.” In 2026, that test is dead. Scammers can now instantly generate an image of themselves in any location or holding any object. Media alone is no longer proof of identity.
The deception goes even deeper than static images. Scammers are now using:
- Deepfake Video Calls – Real-time face-swapping and AI voice synthesis mean that a video call with your new love interest is no longer a guarantee of safety.
- AI Personas – Automated bots are now capable of maintaining deep, emotional and visually convincing relationships over several months, building a level of trust that feels indistinguishable from a real human connection.
- The Celebrity Lure – By masquerading as famous figures, scammers exploit the emotional investment fans have, sometimes even leading victims to take out second mortgages or alienate family members to “help” their idol.
[CONTINUED] At the Knowbe4 Blog
https://blog.knowbe4.com/love-in-the-age-of-ai-why-2026-romance-scams-are-almost-impossible-to-spot
[Live Demo] Stop Inbound and Outbound Email Threats
With over 376 billion emails sent daily, your organization faces unprecedented risks from Business Email Compromise (BEC), misdirected sensitive communications and sophisticated AI-driven phishing attacks.
The human element, involved in the vast majority of data breaches, contributes to email-based threats that cost organizations like yours millions annually.
Discover how you can stop up to 97% more attacks and uncover 10x more potential data breaches in your Microsoft 365 environment before they happen.
Join our live demo to see how KnowBe4’s Cloud Email Security seamlessly integrates into Microsoft 365 to enhance its native protection while providing the tools needed to identify risky communications before they lead to breaches.
See KnowBe4’s Cloud Email Security in action as we show you how to:
- Defend your organization against sophisticated inbound threats including BEC, supply chain attacks and ransomware
- Prevent costly outbound mistakes with real-time alerts that stop misdirected emails and unauthorized file sharing
- Enforce information barriers that keep you compliant with industry regulations
- Detect and block data exfiltration attempts before sensitive information leaves your organization
- Customize incident response workflows to match your security team’s needs
Strengthen your security posture with AI-native intelligent email security that reduces human-activated risk and safeguards your organization from inbound and outbound threats.
Date/Time: Wednesday, February 18 @ 1:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/ces-demo-month-2?partnerref=CHN2
Voice Phishing Kits Give Threat Actors Real-Time Control Over Attacks
Researchers at Okta warn that a series of phishing kits have emerged that are designed to help threat actors launch sophisticated voice phishing (vishing) attacks that can bypass multifactor authentication.
“The most critical of these features are client-side scripts that allow threat actors to control the authentication flow in the browser of a targeted user in real-time while they deliver verbal instructions or respond to verbal feedback from the targeted user,” Okta says.
“It’s this real-time session orchestration that delivers the plausibility required to convince the threat actor’s target to approve push notifications, submit one time passcodes (OTP) or take other actions the threat actor needs to bypass MFA controls.”
The phishing kits allow attackers to guide the victim through the attack flow, which proceeds as follows:
- “The threat actor performs reconnaissance on a target, learning the names of users, the apps they commonly use and phone numbers used in IT support calls;
- The threat actor sets a customized phishing page live and calls targeted users, spoofing the phone number of the company or its support hotline;
- The threat actor convinces the targeted user to navigate in their browser to the phishing site under the pretext of an IT support or security requirement;
- The targeted user enters their username and password, which is automatically forwarded to the threat actor’s Telegram channel;
- The threat actor enters the username and password into the legitimate sign-in page of the targeted user and assesses what MFA challenges they are presented with;
- The threat actor updates the phishing site in real-time with pages that support their verbal ask for the user to enter an OTP, accept a push notification or other MFA challenges.”
Moussa Diallo, threat researcher at Okta Threat Intelligence, stated, “Once you get into the driver’s seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering.
“Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call. The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/voice-phishing-kits-give-threat-actors-real-time-control-over-attacks
Are You Ready to Replace Your SEG?
While you’ve invested in secure email gateways (SEGs), a staggering 94% of organizations still experience email security incidents. It’s time to evaluate whether your SEG is delivering the protection you need.
This whitepaper explores why 87% of cybersecurity leaders are now looking to replace their SEGs with a modern, integrated security stack.
This essential guide for CISOs provides data-driven insights and a strategic framework for evaluating your email security architecture. Discover:
- An analysis of the advanced phishing attacks that are consistently bypassing SEGs, including a 47% increase in attacks getting through detection
- Why static, rules-based Data Loss Prevention (DLP) is ineffective at mitigating data exfiltration and misdirected emails caused by human error
- How to leverage Microsoft 365 native controls combined with an AI-driven Integrated Cloud Email Security (ICES) solution to stop advanced inbound and outbound threats
- Key considerations for assessing your current email security architecture and determining if it’s time to replace your SEG
Download the whitepaper now:
https://info.knowbe4.com/ready-to-replace-seg-wp-chn
Let’s stay safe out there.
Warm regards,
Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.
PS: [NEW PAGE] We Train Humans and AI Agents. Socially engineered or prompt engineered? It’s all human risk.
https://www.knowbe4.com/training-humans-ai-agents
– Winston Churchill – Statesman (1874 – 1965)
– Francis of Assisi – Preacher (1181 – 1226)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-07-uncovering-the-sophisticated-phishing-campaign-bypassing-m365-mfa
Callback Phishing and BEC Attacks Surged in Q4 2025
Callback phishing scams surged by 500% last quarter, accounting for 18% of all phishing activity, according to VIPRE’s Email Threat Trends Report for Q4 2025. Callback phishing attacks attempt to trick the victim into calling a phone number and speaking with the scammer directly, allowing the attack to bypass technical security controls.
Additionally, the researchers found that business email compromise (BEC) attempts accounted for 51% of scam email attacks.
“For another consecutive quarter in a row, Impersonation was the dominant BEC email type, accounting for 82% of the total BEC cases,” VIPRE says. “Diversion, or sending fake invoices or payroll requests, accounts for the remaining 18%.
“In Q4, the most frequently impersonated roles were CEOs and senior executives, comprising 50% of impersonation-based BEC emails, or 41% of total BEC emails overall.”
The researchers add, “This says something interesting about the companies that are being targeted. For a CEO to make a direct request regarding the transfer of funds, the organization must be small enough to have intimacy within the hierarchy for that to make sense.
“Or the person being targeted must be high enough in the company to not regard such a proposal from the highest officer unusual. Smaller companies with flat organizational structures, startups with close executive-employee relationships, and financial officers in close contact with the CEO, CFO or C-suite should be especially wary.”
The report found that the manufacturing industry was the most frequently targeted by email-based attacks, followed by the financial and healthcare sectors.
AI-powered security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for evolving social engineering attacks.
VIPRE has the story:
https://finance.yahoo.com/news/cybercriminals-key-attack-vector-trust-140000020.html
Report: AI-Driven Fraud Surged by 1200% in December 2025
AI-driven fraud attacks spiked by more than 1200% in December 2025, according to a new report by Pindrop Security. Threat actors are using AI to assist in every stage of the attack, from deploying bots to conduct reconnaissance to using deepfakes to trick humans.
“According to Pindrop internal data, AI fraud (or non-live fraud) surged 1210% by December 2025,” the researchers write. “From this, it’s clear that attackers are rebuilding their operations around AI. But why? Because it’s cheaper, faster, harder to detect and startlingly scalable.
“With automated models, today’s attackers don’t get tired, don’t act on emotion and don’t reuse the same face or voice twice. Attackers can train models with rigor, and once trained, these models work non-stop to exploit your vulnerabilities.”
While these attacks are targeting all sectors, Pindrop highlights the healthcare and retail industries as facing particular versions of AI-driven fraud. The researchers observed one major healthcare provider that received 15,000 fraudulent bot calls since the summer of 2025, while the retail sector saw a 330% surge in AI fraud beginning in November.
“Every industry experiences the pain differently, but the fraudster’s playbook is strikingly consistent,” the researchers explain. “In healthcare, bots flood contact centers for recon, aiming to take over patient accounts and gain access to HSA and FSA funds.
“In retail, AI-backed schemes exploit return policies—with micro-transactions compounding to massive losses. Inside corporate channels, AI-generated videos and voices impersonate job candidates to gain system access or high-level executives to execute social engineering scams.
“The tactics differ, but the foundation is the same: convincing, sophisticated AI-backed schemes.”
Infosecurity Magazine has the story:
https://www.infosecurity-magazine.com/news/ai-voice-virtual-meeting-fraud/
What KnowBe4 Customers Say
“I wanted to share some very positive feedback about Victoria S., who worked as CSM on the project we ran together.
“Working with her was an excellent experience. Whenever I had a question, she got back to me quickly and clearly. More than that, she truly listened to what I needed and went out of her way to help me deliver the best possible outcome for my end customer.
“This kind of attitude makes all the difference in the day-to-day of a project, and I thought it was important for you to know how much she contributed.”
– A.C., Security Engineer
- Leaked technical documents show China rehearsing cyberattacks on neighbors’ critical infrastructure:
https://therecord.media/leaked-china-documents-show-testing-cyber-neighbors - UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering:
https://therecord.media/north-korean-hackers-targeted-crypto-exec-clickfix - Payroll pirates are conning help desks to steal workers’ identities and redirect paychecks:
https://www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/ - U.S. Court Hands Crypto Scammer 20 Years in $73m Case:
https://www.infosecurity-magazine.com/news/court-hands-crypto-scammer-20-years/ - Moscow moves to throttle Telegram as Kremlin pushes its own messaging app:
https://therecord.media/russia-throttles-telegram-pushes-its-own-messaging-app - Please Don’t Feed the Scattered Lapsus ShinyHunters:
https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-shiny-hunters/ - Microsoft patches concerning Windows 11 Notepad security flaw:
https://www.techradar.com/pro/security/microsoft-patches-concerning-windows-11-notepad-security-flaw - Gone With the Shame: One in Two Americans Are Reluctant to Talk About Romance Scam Incidents:
https://www.darkreading.com/cyber-risk/one-in-two-americans-romance-scam-incidents - State-sponsored APTs are using AI as a core component of attacks:
https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use - North Korean threat actor uses deepfakes and other social engineering tactics to target the finance and cryptocurrency sectors:
https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering
- Virtual Vaca # 1 Discover the ULTIMATE Toronto Neighborhood Guide:
https://youtu.be/NScJGLOaAB4 - Virtual Vaca # 2 TOKYO, JAPAN (2026) | 15 Best Things To Do In & Around Tokyo:
https://youtu.be/CvgC6z8Wrxw - Virtual Vaca #3 Slovakia in 4K – Incredible Scenes & Hidden Gems:
https://youtu.be/ke2c29RfmDc - We Tried The Scariest Tourist Attraction in China:?
https://youtu.be/hSGT50K-IjM - Atlas Airborne | Boston Dynamics:
https://youtu.be/UNorxwlZlFk - First Look: The Supercar Blondie 1 of 1 Mansory Rolls-Royce:
https://youtu.be/iLaYCf169ts - Dirtwall / Wingsuit Base Jump / Switzerland / 2025:
https://youtu.be/ISA-pZp1ln0 - Best Ski Tricks 2026!:
https://youtu.be/n1-LLfSfi9o - The Skyscraper That Ruined Paris:
https://youtu.be/68JUxRH8AZo - Project Hail Mary | Final Trailer:
https://youtu.be/P0XN3-n-2Lo - SO FAST! Asa Vermette’s next-level Winning Run from Red Bull Hardline Tasmania!:
https://youtu.be/4DhDBR2J3l8 - For Da Kids #1 – Two Circus Lions in Love Finally Find Freedom —Together:
https://youtu.be/yeyuI3GpFeA - For Da Kids #2 – This Rescue Dog’s Transformation Will Leave You Speechless:
https://youtu.be/ksuKEz9YJvw - For Da Kids #3 – Sloth And Her Baby Brought To Safety After Getting Too Close To Traffic:
https://youtu.be/A_KpmQFMKjc - For Da Kids #4 – Dog couldn’t get adopted because he was too well mannered:
https://youtu.be/qU9wZU-cXHA - For Da Kids #5 – Baby Rhino Couldn’t Even Stand. Now He’s Stealing Hay!:
https://youtu.be/NkhiHOjlUig
