Expert Comment on MS phishing campaign


This incident goes to show that not all MFA is created equal, and hits home at just how easily many can be sidestepped. Large-scale campaigns, like this one, happen because they are so fruitful, and the pool of targets ripe for the picking is immense. However, the bottom line is they shouldn’t be happening. Organisations must use phishing-resistant MFA techniques that include device security posture as part of their access strategy, which is consistent with the United States government’s advisory to all federal agencies back in January; some have woken up to the dangers, but it’s time the rest of the world follows suit.