IT EN
Client Portal →
sales@10punto10.eu · 02 87176855
· 10punto10

SessionShark: The Phishing Kit That Bypasses MFA and You Never Want to Encounter

cybersecurityPhishing / MFA BypassSessionSharkphishing
SessionShark: The Phishing Kit That Bypasses MFA and You Never Want to Encounter

What is SessionShark and why should your business care

A new phishing toolkit called SessionShark has been making waves across cybersecurity circles, and for good reason. Unlike traditional phishing attacks that simply steal passwords, SessionShark is purpose-built to bypass multi-factor authentication (MFA) on Microsoft 365 accounts — the very platform that millions of European businesses rely on every day.

For small and medium businesses across Italy and the EU, this represents a significant shift in the threat landscape. MFA has long been considered a reliable layer of protection, and many companies adopted it believing it would keep their accounts safe. SessionShark challenges that assumption directly.

The toolkit is sold as a phishing-as-a-service (PhaaS) product on underground forums, complete with a subscription model, a polished admin panel, and even customer support. This means you no longer need advanced hacking skills to launch a sophisticated attack. Anyone with a few hundred euros and malicious intent can do it.

How SessionShark bypasses multi-factor authentication

SessionShark uses a technique known as adversary-in-the-middle (AitM) to intercept the entire login process in real time. Here is how it works in practice.

The proxy trick

When a victim clicks on a phishing link, they land on what looks exactly like the Microsoft 365 login page. That is because it essentially is the real login page — SessionShark acts as a reverse proxy, fetching and displaying the actual Microsoft authentication interface through its own server.

The victim enters their username, password, and completes the MFA challenge as usual. They might tap “approve” on their authenticator app or type in a one-time code. Everything feels normal. But behind the scenes, SessionShark is sitting between the user and Microsoft, capturing everything — including the authenticated session token that Microsoft issues after successful login.

Why the session token matters

Once an attacker has the session token, they can access the victim’s Microsoft 365 account without needing the password or MFA again. The token essentially tells Microsoft: “this user has already authenticated.” The attacker simply imports the cookie into their own browser and walks right in.

This gives them immediate access to Outlook emails, OneDrive files, SharePoint documents, and Teams conversations. In many cases, the compromised account is then used for business email compromise (BEC) schemes — sending fraudulent invoices or payment requests from a trusted, legitimate email address.

Built-in evasion techniques

What makes SessionShark particularly difficult to detect is its use of anti-analysis protections. The kit integrates Cloudflare services to mask its infrastructure and presents CAPTCHA challenges before showing the phishing page. This means automated security scanners and URL reputation services often see only a harmless verification page, not the actual phishing content.

Real-time exfiltration via Telegram bots ensures that stolen credentials and session tokens reach the attacker within seconds of capture, leaving virtually no reaction time for the victim or their IT team.

The growing threat of MFA bypass attacks

SessionShark is not an isolated case. It joins a growing family of AitM phishing platforms — including EvilProxy, Tycoon 2FA, and Greatness — that have turned MFA bypass into a commodity service. According to multiple threat intelligence reports from 2025, phishing attacks capable of bypassing MFA grew by over 100 percent year-over-year.

Microsoft itself has acknowledged that token theft is one of the fastest-growing attack categories. The company consistently ranks as the most impersonated brand in phishing campaigns, with Office 365 credential theft representing the single largest category of phishing attacks globally.

For European SMBs, the risk is compounded by regulatory pressure. Under GDPR, a compromised email account that exposes customer data can trigger mandatory breach notifications and potential fines. The Italian Garante per la Protezione dei Dati Personali has been increasingly active in enforcing these obligations, and a single breached mailbox containing client communications could put your business on the wrong side of compliance.

Practical steps to protect your business

The good news is that effective defences exist. The key is moving beyond basic MFA and implementing layered security measures appropriate for today’s threat landscape.

Adopt phishing-resistant authentication

The single most effective defence against SessionShark and similar AitM attacks is migrating to FIDO2-based authentication — hardware security keys like YubiKey or passkeys. These methods bind the authentication process cryptographically to the legitimate domain. If a user is on a phishing site, the security key simply will not respond. It is architecturally immune to proxy-based attacks.

Microsoft Entra ID fully supports FIDO2 security keys and passkeys, making this a realistic upgrade path even for smaller organisations already using Microsoft 365.

Strengthen your Microsoft 365 configuration

Several configuration changes can dramatically reduce your exposure:

  • Conditional access policies that require managed, compliant devices and restrict sign-ins from unfamiliar locations or unregistered endpoints.
  • Continuous access evaluation (CAE) to enable near-real-time token revocation when suspicious activity is detected, such as impossible travel or a sudden IP change.
  • Shorter session token lifetimes to limit the window of opportunity if a token is stolen.
  • Block legacy authentication protocols entirely, as they do not support MFA at all and represent an easy bypass path.

Invest in detection and awareness

Technical controls work best alongside human awareness. Train your staff to scrutinise URLs carefully before entering credentials, even when the login page looks legitimate. Emphasise that a convincing-looking page is no guarantee of authenticity — this is precisely what AitM attacks exploit.

On the monitoring side, enable sign-in risk detection in Microsoft Entra ID Protection. Watch for anomalous patterns: logins from new devices, unusual geographic locations, or bulk access to mailbox contents. Have an incident response procedure ready that includes revoking all active sessions and forcing re-authentication when compromise is suspected.

The bottom line for European SMBs

SessionShark is a clear signal that the cybersecurity landscape has shifted. MFA remains important — it still blocks the vast majority of automated and opportunistic attacks — but it is no longer sufficient on its own against targeted, sophisticated phishing campaigns.

For Italian and European businesses operating under GDPR and NIS2 obligations, the message is straightforward: review your authentication strategy, prioritise phishing-resistant methods where possible, and ensure your Microsoft 365 environment is configured with today’s threats in mind. The cost of upgrading your defences is a fraction of what a successful account takeover could cost in regulatory penalties, lost business, and damaged trust.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.

💬

Need support on this topic?

Let’s assess your company’s situation together. First consultation is free.

Contact us
📩

Stay updated every week

Cybersecurity, AI and technology for SMBs. No spam, only useful content.

Subscribe to newsletter