microsoft-365

Russia's GRU Hijacked 18,000 Routers to Steal Microsoft 365 Tokens Without a Single Piece of Malware

John Z Black Apr 8, 2026

Threat Intelligence #apt28 #russia #dns-hijacking #microsoft-365 #oauth #mfa-bypass #soho-routers

APT28 changed the DNS settings on 18,000 home routers and stole Microsoft 365 tokens after users completed MFA. No malware needed. Your second factor was irrelevant.

Microsoft's Device Code Auth Is Now a Criminal Subscription Service

John Z Black Apr 2, 2026

Ransomware & Cybercrime #phishing #microsoft-365 #device-code #eviltokens #bec #phaas #credential-theft

EvilTokens sells device code phishing as a service on Telegram. Over 340 orgs compromised, and victims never see a fake login page.

Europol Took Down Tycoon2FA. It Was Back in Days, and Smarter Than Before.

John Z Black Mar 31, 2026

Ransomware & Cybercrime #phishing #tycoon2fa #phishing-as-a-service #microsoft-365 #entra-id #conditional-access #mfa #aitm #europol #crowdstrike

Tycoon2FA's rapid return after Europol's March 4 takedown shows why seizing infrastructure doesn't shut down phishing platforms. The operators pre-staged backup infrastructure before the first domain was seized.

340+ Organizations Hit by M365 Phishing That Bypasses MFA Without Touching Your Password

John Z Black Mar 26, 2026

Threat Intelligence #phishing #microsoft-365 #oauth #mfa-bypass #enterprise-security

A device code OAuth phishing campaign has compromised 340+ organizations since February 2026, bypassing MFA and surviving password resets. It's still running.