Threats SessionShark 0365 2FA/MFA: a PhaaS Toolkit

A recent report from the UK government highlights that phishing attacks remain the most prevalent and disruptive type of cyber breach experienced by organizations. According to the Cyber Security Breaches Survey 2025, 85% of businesses and 86% of charities that reported a breach or attack in the past year identified phishing as the primary cause. Phishing was also cited as the most disruptive form of attack by 65% of businesses and 63% of charities, often leading to impersonation, malware infections, or ransomware incidents. For an in-depth breakdown of Social Engineering attacks, including phishing, and a guide to Packetlabs' Social Engineering Security Testing services, see our Guide to Social Engineering Security Testing.

Threat actors are constantly finding new ways to amplify the effectiveness and impact of their attacks, and phishing is no exception. Phishing-as-a-Service (PhaaS) is a cooperative model where technically savvy criminals develop specialized phishing tools and services and then sell or rent them out to other criminal organizations. These toolkits are then used in cyber attacks, generally to gain initial access to victim's online accounts by stealing credentials. SessionShark is a sophisticated Phishing-as-a-Service (PhaaS) toolkit designed to compromise Microsoft 365 accounts by bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) techniques. 

In this article, we will examine how the SessionShark toolkit operates, how attackers obtain and deploy it, and why it poses a significant threat to organizations relying on MFA. We'll also explore broader trends in PhaaS ecosystems and provide practical recommendations for defending against these evolving phishing threats.

What is SessionShark 0365 2FA/MFA?

SessionShark 0365 2FA/MFA is a recently identified Phishing-as-a-Service (PhaaS) toolkit designed to bypass Microsoft Office 365's multi-factor authentication (MFA) protections. The tool aids low-skilled attackers in employing AiTM techniques to intercept user credentials and session tokens, enabling unauthorized access to accounts without requiring the victim's one-time passcode.

How Does SessionShark 0365 Work?

SessionShark is sold on Dark Web cybercrime forums and Telegram channels, as a subscription-based service. Attackers gain access to the toolkit by purchasing it from the developers or resellers, which comes bundled with technical support and setup guides. To launch attacks, the attacker deploys SessionShark on a web server, configured to serve phishing pages that spoof Microsoft 365 login portals down to the last detail.

Once set up and configured, the spoofed Microsoft 365 phishing page functions as an AiTM proxy. When the victim inputs their Microsoft credentials, SessionShark then forwards these in real-time to the legitimate Microsoft 365 login service. The legitimate MFA prompt (e.g., push notification or code) is also requested from the user. Once the victim completes MFA, SessionShark captures the logged-in user's session cookies and access tokens and sends them to the attacker via a Telegram message. 

With these session tokens, the attacker can steal the user's logged-in state and access their Microsoft 365 environment without needing to solve MFA again. The attacker can then proceed to abuse the victim's account; read and send emails, access SharePoint or OneDrive files, download sensitive documents, and even carry out internal phishing campaigns or lateral movement within the organization’s network.

Victims are targeted via:

• Spoofed emails with embedded login links

• Malicious QR codes or shared document invitations

• Redirects from compromised websites

SessionShark offers attackers advanced features such as:

• Realistic Phishing Pages: Generates convincing replicas of Microsoft Office 365 login interfaces that dynamically adapt to various devices and user scenarios, enhancing their credibility

• Session Token Theft: Captures valid session cookies post-authentication, allowing attackers to hijack authenticated sessions and bypass MFA controls.

• Anti-Detection Measures: Incorporates advanced anti-bot technologies, such as CAPTCHA challenges, to evade automated security scanners and threat intelligence systems.

• Cloudflare Integration: Utilizes Cloudflare services to mask the true hosting infrastructure, making it more challenging for defenders to identify and take down malicious sites.

• Real-Time Exfiltration: Employs Telegram bot integration to instantly send captured credentials and session tokens to attackers, facilitating rapid account takeovers.

• Commercialization and Support: Customer support is available to subscribers via dedicated Telegram channels, lowering the technical barrier for cybercriminals.

Mitigating the Risk From Phishing Toolkits

The emergence of SessionShark underscores the evolving threat landscape where MFA alone may not suffice to protect against sophisticated phishing attacks. Organizations should consider implementing additional security measures, including:

• Advanced Phishing Detection: Deploy solutions capable of identifying AiTM phishing attacks and detecting spoofed authentication pages.

• Continuous Session Monitoring: Monitor for suspicious login behaviors, unusual session activities, and anomalies in access patterns.

• Zero-Trust Architectures: Adopt security models that enforce strict identity verification for every access request, regardless of location or previous authentication status.

• User Education: Train employees to recognize sophisticated phishing attempts, especially those that mimic legitimate login interfaces and MFA processes.

• Incident Response Preparedness: Develop and regularly update incident response plans to address potential breaches involving session hijacking and MFA bypass techniques.

Conclusion

SessionShark is a Phishing-as-a-Service toolkit that enables attackers to bypass Microsoft 365 MFA by stealing session tokens through AiTM techniques. Its ease of use, real-time exfiltration, and support infrastructure make it a serious threat to organizations relying solely on MFA for account security.