Microsoft Office 365 MFA Bypassed by SessionShark Phishing Kit

In April 2025, security researchers uncovered a new and highly sophisticated phishing-as-a-service (PhaaS) toolkit targeting Microsoft Office 365 users.

Dubbed “SessionShark,” this toolkit is engineered to bypass even the most robust multi-factor authentication (MFA) protections, exposing organizations to a new class of credential theft and account takeover attacks.

The emergence of SessionShark marks a significant escalation in the arms race between defenders and cybercriminals, highlighting the need for organizations to adapt their security strategies.

Key Takeaways

• SessionShark is a new phishing-as-a-service (PhaaS) toolkit designed to bypass Microsoft Office 365 MFA by stealing session tokens.
• The kit uses adversary-in-the-middle (AiTM) tactics, advanced antibot, and stealth features to evade detection.
• SessionShark is marketed as a subscription service with real-time exfiltration and Telegram-based support for cybercriminals.
• Even organizations with strong MFA adoption are at risk; traditional anti-phishing tools are often ineffective against these attacks.
• Security teams must adopt behavioral analytics, zero-trust frameworks, and layered defenses beyond MFA.

SessionShark: A New Threat Bypassing Office 365 MFA

Security researchers have uncovered a new and highly sophisticated phishing-as-a-service (PhaaS) toolkit dubbed SessionShark, purpose-built to target Microsoft Office 365 users by bypassing multi-factor authentication (MFA) protections.

SessionShark leverages adversary-in-the-middle (AiTM) techniques to intercept user session tokens after a successful MFA login, allowing attackers to hijack authenticated sessions and render MFA ineffective.¹²

How SessionShark Works

• AiTM Phishing: Victims are lured to highly realistic Office 365 login replicas. Once credentials and MFA codes are entered, SessionShark captures both the credentials and the session tokens used to authenticate the user.
• Session Token Theft: By stealing these tokens, attackers gain immediate, persistent access to Office 365 accounts—bypassing the need for repeated MFA challenges.
• Stealth Features: The kit employs advanced antibot technologies, CAPTCHAs, and Cloudflare compatibility to block automated scanners and obscure its hosting infrastructure. Custom HTTP headers, evasive scripting, and dynamic phishing pages further evade detection.
• Real-Time Exfiltration: Stolen data is instantly delivered to attackers via Telegram bots, enabling rapid account takeover before defenders can respond.
• Criminal SaaS Model: Marketed with polished subscription packages and Telegram-based customer support, SessionShark lowers the barrier for cybercriminals to launch advanced phishing campaigns.

Impact and Security Implications

SessionShark’s emergence signals a dangerous evolution in phishing tactics: even organizations with strong MFA adoption are now vulnerable to session token theft. Traditional anti-phishing tools, IP blocking, and credential monitoring are largely ineffective against these attacks. Security teams are urged to:

• Monitor for session anomalies and suspicious logins
• Educate users about AiTM phishing techniques
• Implement behavioral analytics and zero-trust frameworks
• Layer defenses beyond MFA, including AI-powered detection tools

Timeline

• Early 2025: SessionShark is promoted on cybercrime forums as a PhaaS targeting Microsoft 365 MFA.
• April 2025: Security researchers publish detailed analyses and warnings about SessionShark’s capabilities and impact.¹²³

Technical Analysis: How SessionShark Bypasses MFA

SessionShark’s core innovation is its use of adversary-in-the-middle (AiTM) phishing, which places a malicious proxy between the victim and Microsoft’s authentication servers.

When a victim enters their credentials and MFA code on a convincing Office 365 phishing page, SessionShark intercepts both the credentials and the resulting session token. This session token is the digital proof that MFA was completed—if stolen, it allows attackers to access the account without needing to re-authenticate or pass another MFA challenge.¹²

The kit’s stealth features are extensive:

• Advanced antibot and CAPTCHA: Blocks automated scanners, sandboxes, and known security crawlers.
• Cloudflare integration: Hides the true hosting server and circumvents IP-based blocking.
• Custom HTTP headers and dynamic content: Evades threat intelligence and anti-phishing services.
• Realistic Office 365 login flows: Adapts to device and error scenarios, making detection by end users difficult.
• Instant exfiltration: Credentials and session tokens are sent to attackers in real time via Telegram bots, enabling rapid account takeover.

Comparison to Other Phishing Kits

SessionShark is part of a new wave of professionalized phishing kits, joining the ranks of EvilProxy, Tycoon 2FA, and Greatness. Like these kits, SessionShark offers:

• Subscription-based access and customer support (often via Telegram)
• Turnkey deployment with detailed documentation for cybercriminals
• Advanced evasion and anti-detection techniques

However, SessionShark distinguishes itself with its focus on Office 365 MFA and its seamless integration with Cloudflare for stealth and resilience.¹²

Threat Actor and Market Analysis

SessionShark is openly promoted on underground forums and cybercrime marketplaces, often under the guise of “educational” tools. Its SaaS-like model—with subscription tiers, customer support, and instant notifications—lowers the barrier to entry for less skilled attackers. This professionalization mirrors broader trends in the cybercrime ecosystem, where sophisticated tools are now accessible to a wider range of threat actors.³

Detection and Mitigation Strategies

Traditional anti-phishing tools, IP blocking, and credential monitoring are not enough to stop AiTM phishing kits like SessionShark. Security teams should:

• Monitor for anomalous session activity and suspicious logins
• Implement behavioral analytics and zero-trust frameworks
• Use AI-powered detection tools that can identify AiTM infrastructure and phishing proxies
• Educate users about advanced phishing tactics and warning signs
• Enforce short session lifetimes and re-authentication for sensitive actions

Industry and Vendor Response

As of April 2025, Microsoft has not issued a dedicated advisory for SessionShark, but has previously warned about AiTM phishing and session token theft.² Security vendors like SlashNext have published detailed technical analyses, and the cybersecurity community is urging organizations to move beyond reliance on MFA alone. The emergence of SessionShark has reignited debate about the effectiveness of current authentication and detection controls.

Historical Context: MFA Bypass and the Rise of AiTM Phishing

SessionShark is the latest in a series of phishing kits targeting MFA-protected cloud accounts. Previous campaigns using kits like EvilProxy and Tycoon 2FA have demonstrated that session token theft is a growing threat. The professionalization and SaaS-ification of these kits mean that even organizations with mature security postures are at risk. The trend underscores the need for continuous monitoring, adaptive defenses, and ongoing user education.

Final Thoughts

SessionShark exemplifies the growing professionalization of cybercrime toolkits and the urgent need for organizations to evolve their defenses. As phishing kits become more advanced and accessible, relying on MFA alone is no longer sufficient for cloud account security.

Related Articles

• Microsoft Defender XDR False Positive Flags Sensitive Documents as Leaked
• Widespread Microsoft Entra Lockouts Disrupt Organizations Globally – April 2025
• Phishers Abuse Google Sites and DKIM Replay to Send Legitimately Signed Emails and Harvest Credentials