In the contemporary digital landscape, cybersecurity has become paramount, especially for platforms that host business-critical operations, like Microsoft 365 (M365). While M365 offers a comprehensive suite of productivity and collaboration tools, it isn’t immune to various security threats. Today, we’ll delve into three such threats: M365 session cookie theft via Evilginx2, push notification fatigue attacks, and the deployment of malicious OAuth apps. Furthermore, we’ll explore how authentication into M365 using legacy protocols still poses a significant security concern.

M365 Session Cookie Theft via Evilginx2

Evilginx2 is a phishing tool that allows attackers to bypass two-factor authentication by essentially turning the tables on it. Instead of breaking the 2FA, Evilginx2 captures the 2FA token—rendering it powerless. This tool can be used to steal M365 session cookies, allowing the attacker to maintain access to the account even after the victim logs out.

Evilginx2 works by setting up a man-in-the-middle (MITM) attack, standing between the victim and the legitimate M365 login page. When a user attempts to log in, their credentials (along with the 2FA token) pass through the attacker’s server. The attacker captures this data, including the session cookie, enabling them to maintain access to the victim’s account.

Defending against this type of attack requires a multi-layered approach. Users should be educated about the dangers of phishing attacks and the importance of verifying the authenticity of login pages. On a technical level, security teams can monitor network traffic for suspicious activity, employ advanced threat protection solutions, and consider adopting security measures like hardware-based 2FA, which is much harder to bypass.

Push Notification Fatigue Attacks

Push notifications have become ubiquitous in our digital lives. While they’re instrumental in keeping us updated, they can also be exploited in what’s called a push notification fatigue attack. In this type of attack, an attacker floods the victim with push notifications, causing them to become overwhelmed and less vigilant.

The attacker can then slip in a malicious notification, hoping the fatigued user will approve it without due scrutiny. Moreover, if the user attempts to rate limit these notifications, they may inadvertently limit genuine, important notifications as well.

To guard against push notification fatigue attacks, organizations need to ensure their push notification services are secure and can’t be exploited by attackers. Users should be educated about these types of attacks, and they should be encouraged to scrutinize each notification, irrespective of the quantity.

Deployment of Evil OAuth Apps

OAuth has become a standard protocol for authorizing third-party applications to access data without needing to share a password. However, its popularity has made it a target for attackers. By deploying malicious OAuth apps, attackers can gain access to sensitive data and operations.

The attacker tricks the user into granting the malicious app permissions to access their data. Once the permissions are granted, the app can access the data it’s been authorized to, often without raising any alarms.

Organizations can protect themselves against malicious OAuth apps by carefully managing third-party app permissions and implementing robust detection systems to identify and revoke access for suspicious apps.

Authentication into M365 Using Legacy Protocols

Despite the advances in authentication protocols, many systems still allow authentication using older, less secure protocols. These legacy protocols are often targeted by attackers as they don’t support modern security features like multi-factor authentication.

In the context of M365, legacy protocols can be a significant security concern as they allow attackers to bypass some of the platform’s security measures. For instance, if an account is set up to require 2FA, but a legacy protocol that doesn’t support 2FA is used, the attackercan gain access to the account without needing the second factor.

To address this issue, organizations should phase out the use of legacy protocols and enforce the use of modern, secure protocols that support advanced security measures like multi-factor authentication. Microsoft provides options to disable these legacy protocols, and it is a recommended security practice to do so.


Microsoft 365, like any other digital platform, isn’t invincible against cyber threats. As threat actors devise new and sophisticated attack strategies, it becomes crucial for organizations to remain vigilant and proactive in their cybersecurity approaches.

Understanding the threats is the first step in this journey. By recognizing the risks associated with session cookie theft, push notification fatigue attacks, the deployment of malicious OAuth apps, and authentication via legacy protocols, organizations can devise effective strategies to mitigate these threats.

Ultimately, a layered security approach that combines user education, robust technical controls, and proactive threat monitoring will be key in securing your Microsoft 365 environment. Remember, cybersecurity isn’t a one-time event but a continuous process that evolves with the threat landscape.

Leave a Reply

Your email address will not be published. Required fields are marked *