Phishing Tactics Target Session Tokens and Deliver Malware  | eSecurity Planet

Phishing Tactics Target Session Tokens and Deliver Malware 

Barracuda found phishing attacks increasingly abuse Microsoft authentication, session tokens, and fileless malware.

Written By
Ken Underhill
Ken Underhill
Jul 1, 2026
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Barracuda’s June 2026 research shows phishing campaigns are evolving beyond credential theft to session hijacking, authentication attacks, and malware delivery. 

Attackers now abuse legitimate Microsoft services, short-lived phishing infrastructure, and advanced evasion techniques to bypass security controls and users.  

“Cybercriminals are creative and can leverage legitimate applications, systems that people already trust, and short-lived infrastructure,” said Merium Khalid, Director of AI and Automation at Barracuda, in an email to eSecurityPlanet.

Merium added, “Businesses need controls to identify and investigate signs of unusual behavior after credentials, tokens, or account access have been exposed.” 

Key Takeaways

  • Barracuda found phishing campaigns increasingly target session tokens, Microsoft authentication, and malware delivery instead of relying solely on credential theft.
  • The Tycoon 2FA phishing-as-a-service (PhaaS) platform abuses legitimate Microsoft login pages and OAuth permissions to compromise Microsoft 365 accounts.
  • Attackers are using device code phishing, CAPTCHA verification, self-expiring phishing pages, and split-click techniques to evade traditional security controls.
  • Phishing campaigns are increasingly delivering fileless malware and obfuscated JavaScript payloads to establish persistence and evade endpoint detection. 

How Attackers Abuse Microsoft Authentication for Phishing 

One of the most notable campaigns analyzed by Barracuda leverages the Tycoon 2FA phishing-as-a-service (PhaaS) platform to abuse a legitimate Microsoft login page.

Victims receive convincing emails warning that their mailbox is nearly full, along with a calendar invitation that appears to originate from Microsoft security. 

Instead of directing users to a fake website, the phishing campaign routes victims through a legitimate Microsoft authentication page associated with an attacker-controlled Microsoft Entra application.

After users authenticate, attackers capture their session tokens and OAuth permissions, allowing immediate access to Microsoft 365 services. 

In some cases, victims are subsequently redirected to a fake login page to steal their passwords as well.

Because the attack uses genuine Microsoft infrastructure, it can bypass URL reputation checks while making phishing detection more difficult.

Advertisement

How Device Code Phishing Evades Traditional Defenses 

Barracuda researchers also observed new variations of device code phishing designed to evade automated security tools.

Rather than embedding suspicious links directly in phishing emails, attackers place them inside PDF attachments, reducing the likelihood of detection by URL scanning technologies. 

The attached PDF directs victims through a fake Microsoft device authentication workflow that mimics legitimate device registration.

The campaign incorporates CAPTCHA verification to block automated analysis and uses self-expiring phishing pages that automatically disappear after a predefined period. 

This built-in kill switch limits forensic investigation while reducing opportunities for defenders to identify malicious infrastructure after an attack.

Advanced Phishing Evasion Techniques Bypass Detection 

Researchers also documented an unusual “split-click” phishing technique.

Emails contain a single “Resolve Issue” button that behaves differently depending on where users click. 

Selecting the top portion opens a legitimate Microsoft webpage, while clicking the lower section silently redirects victims through a malicious phishing chain associated with the Sneaky 2FA platform.

The attack uses browser-generated blob URLs that are dynamically created at runtime, making them more difficult for traditional security tools to inspect or block.

These techniques demonstrate how attackers continue developing methods specifically designed to bypass automated analysis and security testing.

Advertisement

Phishing Shifts from Credential Theft to Malware Delivery 

Barracuda also identified a growing trend toward malware delivery through phishing campaigns.

In one campaign, victims attempting to download what appeared to be a PDF invoice instead received an obfuscated JavaScript file containing hidden malicious code. 

The script uses steganography and obfuscation techniques to conceal its payload before gathering system information, establishing persistence, and downloading additional malware.

Another campaign impersonated the U.S. Social Security Administration to distribute fileless malware. 

The malicious JavaScript reconstructed hidden URLs, downloaded secondary payloads, and executed them directly in memory using Windows ActiveX components, reducing visibility to traditional endpoint defenses.

Researchers also observed multi-stage Microsoft impersonation attacks that redirected victims through fake OneDrive and Excel login pages to further improve credential theft success rates.

How to Defend Against Modern Email Phishing Attacks 

Barracuda recommends that organizations expand phishing defenses beyond password protection by focusing on identity security and behavioral detection.

Key defensive measures include:

  • Protect authentication tokens and identities in addition to passwords.
  • Monitor calendar invitations, attachments, OAuth activity, and authentication flows.
  • Deploy behavioral detection capable of identifying evasive phishing techniques.
  • Strengthen attachment and endpoint protection against embedded and fileless malware.
  • Improve incident response speed to address short-lived phishing infrastructure.
  • Update security awareness training to reflect modern phishing techniques that abuse legitimate cloud services.
Advertisement

Bottom Line

Barracuda’s latest research shows phishing attacks have evolved beyond just fake login pages to abuse trusted Microsoft infrastructure, authentication tokens, advanced evasion, and malware delivery. 

As phishing attacks increasingly target identities, authentication tokens, and trusted cloud services, adopting zero trust solutions can help organizations reduce overall risk.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.