Is Your Organization’s Password Complexity Requirement Strong Enough? Probably Not

Jan 17, 2023 8:15:27 AM By Roger Grimes

Is your organization’s password complexity strong enough?

Less Than One-Third of Organizations Leverage Multiple Authentication Factors to Secure Their Environment

Dec 16, 2022 8:15:35 AM By Stu Sjouwerman

Demonstrating a complete lack of focus on the need for additional authentication factors, surprising new data highlights a material security gap that enables cybercrime.

Interest in Infostealer Malware Within Cyberattacks Spikes as MFA Fatigue Attacks Increase

Dec 14, 2022 2:02:41 PM By Stu Sjouwerman

New analysis of dark web forums shows an increase in discussions around the use of infostealer malware as part of both the first attack within a campaign or as part of an initial access ...

CISA Phishing Infographic Contains a Lot of Good Information

Dec 13, 2022 8:54:06 AM By Roger Grimes

On December 8th, the Cybersecurity & Infrastructure Security Agency (CISA) released a great phishing infographic about data collected, lessons learned and recommendations learned from ...

MFA Fatigue Attacks

Nov 21, 2022 4:00:55 PM By Stu Sjouwerman

Researchers at Specops Software describe a technique attackers are using to bypass multi-factor authentication (MFA). In an article for BleepingComputer, the researchers explain that ...

Cookie-stealing Feature Added by Phishing-as-a-Service Provider To Bypass MFA

Nov 9, 2022 8:50:47 AM By Stu Sjouwerman

The Robin Banks phishing-as-a-service platform now has a feature to bypass multi-factor authentication by stealing login session cookies, according to researchers at IronNet. The phishing ...

Number Matching Push-Based MFA Is Only Half the Solution

Nov 4, 2022 10:14:34 AM By Roger Grimes

When push-based multifactor authentication (MFA) first came out, I was a big fan. I promoted it as a strong and safe MFA option in my book, Hacking Multifactor Authentication. That was ...

Phishing Resistant MFA Does Not Mean Un-Phishable

Nov 2, 2022 3:16:23 PM By Stu Sjouwerman

Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it ...

Do Not Use Easily Phishable MFA and That Is Most MFA!

Sep 21, 2022 9:25:43 AM By Roger Grimes

Everyone should use multifactor authentication (MFA), where they can, to protect valuable information. Everyone!

So, Your MFA is Phishable, What To Do Next

Aug 31, 2022 9:54:49 AM By Roger Grimes

We’ve written a lot about multi-factor authentication (MFA) not being the Holy Grail to prevent phishing attacks, including here:

New Multi-Factor Authentication Prompt “Bombing” Attacks Give Access to Laptops, VPNs, and More

Jul 19, 2022 8:16:07 AM By Stu Sjouwerman

While multi-factor authentication (MFA) significantly reduces an organization’s threat surface by making the stealing of credentials much harder, a new attack takes advantage of phone ...

Hovering Over Links Will Protect You More Than MFA

Jul 14, 2022 3:57:18 PM By Roger Grimes

Microsoft Security recently released a report which detailed a widely successful phishing attack technique used against over 10,000 of its customers…a phishing attack that worked even if ...

[On-Demand Webinar] Hacks That Bypass Multi-Factor Authentication and How to Make Your MFA Solution Phishing Resistant

Jul 13, 2022 1:17:58 PM By Stu Sjouwerman

The average person believes using Multi-Factor Authentication (MFA) makes them significantly less likely to be hacked. That is simply not true! Hackers can bypass 90-95% of MFA solutions ...

Innovative Way to Bypass MFA Using Microsoft WebView2 Is Familiar Nevertheless

Jun 29, 2022 9:15:45 AM By Roger Grimes

An interesting way to bypass multi-factor authentication (MFA) was recently announced by Bleeping Computer. This particular attack method requires a potential victim to be tricked into ...

What About Password Manager Risks?

Jun 9, 2022 10:13:18 AM By Roger Grimes

In KnowBe4’s new Password Policy ebook, What Your Password Policy Should Be, we recommend that all users use a password manager to create and use perfectly random passwords. A perfectly ...

Microsoft is Leading the Way to a Password-Less Future

May 5, 2022 9:08:33 AM By Stu Sjouwerman

As we observe World Password Day to create awareness around the need for password security, Microsoft is looking for frictionless ways to eliminate passwords entirely.

“Being Annoying” as a Social Engineering Approach

Apr 18, 2022 8:42:15 AM By Stu Sjouwerman

Attackers are spamming multifactor authentication (MFA) prompts in an attempt to irritate users into approving the login, Ars Technica reports. Both criminal and nation-state actors are ...

Making Better Push-Based MFA

Mar 28, 2022 1:51:20 PM By Roger Grimes

I used to be a huge fan of Push-Based Multifactor Authentication (MFA), but real-world use has shown that most of today’s most popular implementations are not sufficiently protective ...

Scammers Use a Mix of Stolen Credentials, Inbox Rules, and a Rogue Outlook Client Install to Phish Internal and External Victims

Feb 17, 2022 10:08:48 AM By Stu Sjouwerman

Organizations that are not using Microsoft’s multi-factor authentication are finding themselves victims of credential attacks that involve threat actors installing Outlook on a controlled ...

The 4 Things You Should Be Doing Right Now To Best Improve Your Cybersecurity

Feb 3, 2022 3:28:15 PM By Roger Grimes

The key to really good cybersecurity is to concentrate on just 4 things. Master them first before you begin to try and do the other hundreds of things that everyone else is going to tell ...