Free Cloud Storage with Unlimited Retention

Create account

Can M365 2FA be bypassed?

The Mechanics of Modern Phishing Frameworks and Their Exploitation of Session Hijacking in Microsoft Entra ID

Youtube Thumbnail Update

Microsoft 365 remains a prime target for cybercriminals, and attackers are becoming increasingly sophisticated. Tools like Evilginx2 and Rockstar 2FA are now routinely bypassing traditional multi-factor authentication (MFA), putting even well-defended environments at risk. If your business relies on Microsoft 365, it’s time to rethink your security posture—starting with a resilient cloud backup strategy.

Since May 2024, Rockstar 2FA campaigns have deployed over 5,000 phishing domains, targeting Microsoft 365 users across industries, with many MFA-enabled accounts compromised. Additionally, a critical Microsoft MFA vulnerability, dubbed AuthQuake, enabled attackers to bypass protections in as little as three minutes without user alerts, impacting millions of Office 365 accounts until patched on October 9, 2024.

M365 2FA security

How Evilginx2 and Rockstar 2FA Defeat Microsoft 365 MFA

How Evilginx2 can Breach Microsoft 365 Security

Evilginx2: Adversary-in-the-Middle (AiTM) in Action

Evilginx2 is a sophisticated AiTM phishing framework that captures both credentials and session cookies. Here’s how it compromises Microsoft 365:

  • Fake Login Portals: Attackers clone Microsoft 365 login pages (e.g., office-mfa.com) and distribute them via phishing emails.
  • Session Hijacking: Once users enter credentials and MFA codes, Evilginx2 intercepts the session cookie.
  • MFA Bypass: With the cookie, attackers gain full access—no need to re-authenticate.
  • Tailored Phishlets: Evilginx2 supports Microsoft Entra ID and can downgrade MFA to weaker methods like SMS OTPs.

Rockstar 2FA: Phishing-as-a-Service (PhaaS) at Scale

This is not to be confused with and is not affiliated with Rockstar Games

  • Launched by Storm-1575 in 2024, Rockstar 2FA makes phishing accessible to anyone:

    • Low Barrier to Entry: For ~£150, attackers get pre-built phishing kits, Cloudflare Turnstile bypass, and anti-spam evasion.
    • Trusted Hosting: Phishing links are embedded in services like Google Docs Viewer and OneDrive.
    • Cookie Theft: Like Evilginx2, it harvests session cookies to bypass MFA.
    • Stealth Tactics: Obfuscated HTML, randomized code, and redirectors make detection difficult.

Microsoft 365’s Security Gaps

Even with MFA, Microsoft 365 has exploitable weaknesses:

  • Legacy Protocols: IMAP4, POP3, and SMTP don’t support MFA and should be disabled.
  • Session Cookie Exploits: Stolen cookies = full access, no alerts.
  • Weak MFA Fallbacks: SMS OTPs and push notifications are vulnerable to AiTM attacks.
  • Human Error: Sophisticated phishing tricks even trained users.

Solid Backup: Your Immutable Safety Net

If attackers breach your Microsoft 365 account, Solid Backup will already be storing a copy of your critical data.

  • Phishing-Resistant MFA: We use FIDO2 passkeys—device-bound, asymmetric cryptography that can’t be phished or replayed.
  • Zero Trust Architecture: Continuous verification of user, device, and network context. Legacy protocols are blocked by design.
  • Immutable Backups: Backups are write-once, read-many (WORM). Attackers can’t alter or delete them.
  • End-to-End Encryption: AES-256 encryption at rest and in transit. Decryption keys stay on your device.
  • Independent Authentication: Our platform doesn’t rely on Microsoft 365’s auth stack—its vulnerabilities don’t affect us.
  • AI-Powered Threat Detection: We monitor for anomalies like unusual login locations and alert admins in real time.

Hardening Your Microsoft 365 Environment

To reduce your attack surface:

  1. Disable Legacy Protocols: Block IMAP4, POP3, and SMTP.
  2. Deploy FIDO2 MFA: Use phishing-resistant methods like YubiKeys or Windows Hello.
  3. Enforce Conditional Access: Use Azure AD policies to restrict access based on device health and IP.
  4. Run Phishing Simulations: Train users to spot QR code scams and fake IT alerts.
  5. Audit Sign-In Logs: Monitor for suspicious activity and set up real-time alerts.
  6. Adopt Solid Backup: Ensure your data is recoverable—even if your Microsoft 365 account is compromised.

Don’t Let Phishing Be the End of Your Data

Evilginx2 and Rockstar 2FA are redefining the phishing threat landscape. With over 5,000 phishing domains and vulnerabilities like AuthQuake, Microsoft 365 users are under siege. Solid Backup gives you a FREE secure backup that is immutable, encrypted, and independent of Microsoft’s authentication stack.

Protect your business. Back up smarter. Start with Solid Backup today.

Create Account
M365 popup