A new phishing-as-a-service (PhaaS) kit known as “SessionShark” targets Microsoft Office 365 accounts and claims to enable multi-factor authentication (MFA) bypass while evading common detection methods, SlashNext reported in a blog post Thursday.SessionShark allegedly serves as an adversary-in-the-middle (AiTM) tool that intercepts login credentials and user session tokens, the latter of which can be used to bypass MFA protection.To obtain these credentials and tokens, SessionShark is designed to create a webpage that closely mimics the legitimate Microsoft Office 365 login interface that also “dynamically adapts to various conditions for increased believability,” according to the advertisements unearthed by SlashNext.When a victim is tricked into submitting their credentials to the phishing site, and potentially completing MFA to create a valid session to be hijacked, the sensitive details and session cookie are instantly logged and exfiltrated to the attacker via Telegram bot integration, according to the ads.This “Instant Session Capturing” feature with Telegram integration, common among modern phishing kits, enables threat actors to access and take over compromised accounts faster than the intrusion can be detected and the session invalidated, SlashNext noted.SessionShark also claims several evasive capabilities, including antibot technology and the use of custom scripts and headers that may prevent signature-based detection by security scanners. Antibot capabilities, including “human verification techniques” such as CAPTCHA challenges, can block automated scanners and threat intelligence crawlers to prevent phishing sites from being blocked and reported.The PhaaS kit appears to offer Cloudflare proxying to mask phishing sites’ true hosting infrastructure, preventing takedowns and IP-based blocking by security systems, SlashNext said. SessionShark’s paying users are also offered customers support through a dedicated Telegram channel for troubleshooting and setup help.SessionShark’s terms of services (TOS) attempt to present plausible deniability that the kit is meant to be used for illicit activity despite its advertisement on cybercrime networks, SlashNext noted. The service is claimed to be “exclusively for educational purposes,” with the TOS claiming users who use it maliciously will be suspended.The emergence of SessionShark and other phishing kits like Tycoon 2FA highlight a growing shift to the PhaaS business model, which is similar to the prominent ransomware-as-a-service (RaaS) model seen in the last few years, SlashNext noted.With the malicious tool’s ability to target accounts even if they are protected with MFA, preventing users from accessing and submitting their information to phishing sites is crucial. In addition to user/employee training, AI-driven phishing defense tools that go beyond traditional signature-based detection to recognize advanced phishing tactics can help block sites made by tools such as SessionShark, SlashNext concluded.
