Useless websites worm3/11/2024 ![]() ![]() Document hosted in the sender's company sharepoint.User opens document and it has a URL to an evilginx hosted MFA token stealer. Have not seen it in a long time with MFA, Defender for Endpoint, ATP and Intune policies doing a great job.Email worm received by a user from a known contact about collaborating on a document. Saw some Business Email Compromise cases this morning in M365. postTitleLink-VisitedLinkColor: #6f7071 I get about 300 emails in the first two hours Maybe needs the new Token protection condition. I am researching why conditional access for "only compliant devices" did not work here. The same worm sent to all the user's contacts (The only difference this time is the worm used a generic free onedrive link to share the new booby trapped document instead of the company sharepoint as anon sharing is disabled in tenant sharepoint). Hacker script uses token to sign in with "MFA requirement satisfied by claim in the token" M365 defender for endpoint, Advanced Threat Protection, Intune office macros disabled policies etc let everything pass User opens document and it has a URL to an evilginx hosted MFA token stealer. ![]() ![]() Document hosted in the sender's company sharepoint. Have not seen it in a long time with MFA, Defender for Endpoint, ATP and Intune policies doing a great job.Įmail worm received by a user from a known contact about collaborating on a document. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |