Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.
MFA reduces account takeover by requiring another proof of identity, limiting damage from stolen passwords; protect fallback and recovery paths too.
Search across headline titles and summaries.
Background for this topic.
MFA requires a user to prove identity with at least two different factor types: something they know, have, or are. It limits account takeover when a password is exposed, but protection depends on the factors and their implementation; two passwords are not independent factors, and a one-time code delivered by SMS is generally weaker than a phishing-resistant credential.
Attackers may steal or relay one-time codes through phishing, trigger repeated push prompts to induce approval, exploit weak enrollment or account-recovery processes, or hijack an authenticated session after MFA succeeds. Prefer phishing-resistant methods such as FIDO2/WebAuthn security keys or platform credentials for sensitive access, protect enrollment and recovery as strongly as login, restrict weaker fallbacks, and monitor unusual authentication activity. MFA reduces risk but does not replace endpoint, session, or privileged-access controls.
In embracing device code phishing, attackers trick victims into handing over account access by using a service's legitimate new-device login flow.
Threat actors know how to bypass security systems outside of traditional IT environments. Implementing 2FA could provide a needed extra security barrier in the physical world.
Why CISOs Must Rethink Trust, MFA and Machine Identity GovernanceAI-driven phishing emails, voice deepfakes and synthetic identities have changed the threat landscape. Attackers now mimic trusted users with precision. Security teams can no longer rely on static controls or traditional verification methods.
New "Storm" infostealer skips local decryption, sending browser data to attacker servers. Varonis shows how server-side decryption enables session hijacking, bypassing passwords and MFA. [...]