Multi-stage phishing campaigns bypass MFA through chained deception

Security researchers are tracking an increase in phishing attacks that defeat common authentication controls through layered techniques.

What happened

Security researchers have identified a series of multi-stage phishing campaigns referred to as Operation Chimera, designed to bypass corporate email security and some forms of multi-factor authentication. Reporting by WebProNews describes how these campaigns avoid traditional detection by using QR codes, benign-looking cloud links, and redirect chains that initially contain no malicious content. Victims are gradually routed to credential harvesting pages after leaving the protected corporate environment.

Going deeper

These campaigns do not depend on a single phishing email, they unfold through a series of steps. The initial message often includes a QR code that encourages the recipient to scan it using a mobile device, shifting the interaction outside the organization’s email filters and network monitoring tools. After the scan, the user is redirected to several pages, sometimes hosted on legitimate or previously compromised websites. Some attackers also use decentralized hosting platforms such as IPFS, the InterPlanetary File System, a peer-to-peer network that stores and shares content across distributed nodes rather than a single central server, which makes takedown efforts and attribution more difficult. When the victim finally reaches the credential harvesting page, the original delivery path is largely obscured, limiting security teams’ visibility and reducing the chances of real-time blocking.

What was said

Microsoft researchers explain that in an Adversary in the Middle AiTM phishing attack, the attacker places a proxy server between the user and the website they are trying to access. That proxy sits in the middle of the connection and silently relays traffic back and forth. As Microsoft describes it, the attacker “deploys a proxy server between a target user and the website the user wishes to visit,” allowing them to intercept both the victim’s password and the session cookie that confirms an authenticated session. The infrastructure “acts as a reverse proxy,” forwarding authentication traffic to the real service while appearing legitimate to the user.

When a victim signs in through one of these AiTM pages, the attacker can “capture the user’s credentials and session cookie in real time.” Because the attacker “receives the session cookie after authentication,” they can “inject it into their browser to skip the authentication process, even if the target’s MFA is enabled.” In practice, that means the attacker does not need to break multi-factor authentication. They reuse the valid session and gain access without triggering additional login prompts.

In the know

As noted by WebProNews, the goal of Operation Chimera isn’t just stealing credentials. Once attackers gain access to a legitimate corporate account, especially in finance or executive teams, they focus on staying put. Stolen session cookies are used to add new authenticator devices or abuse OAuth permissions, quietly granting malicious apps long-term access. From there, attackers move internally, mapping systems, identifying high-value data and financial workflows, and expanding access without triggering immediate alarms.

The big picture

Email remains the easiest way in. Paubox’s healthcare security reporting found that only about five percent of phishing attacks are reported by employees, meaning most attempts are either missed or handled quietly without security teams ever seeing them. When phishing activity goes unreported, attackers can test tactics, reuse compromised credentials, and refine campaigns without immediate disruption. That persistence shows up in federal data. The FBI’s 2024 IC3 report logged 859,532 cybercrime complaints last year, with phishing and spoofing leading the list at 193,407 complaints. Business email compromise accounted for 21,442 cases and $2.77 billion in reported losses. Those figures reflect direct financial losses reported to the FBI and do not include legal exposure, forensic work, operational disruption, or reputational damage that often follow an account takeover.

FAQs

What makes multi-stage phishing harder to detect?

The initial messages often contain no malicious links or attachments, which allows them to pass through email security tools without raising alerts.

Why are QR codes used in these campaigns?

QR codes move the interaction to a mobile device, which frequently operates outside corporate monitoring and filtering controls.

How does adversary in the middle phishing defeat MFA?

The attacker intercepts authentication data and session tokens in real time, allowing account access without repeating the login process.

Are all MFA methods vulnerable to this technique?

Methods that rely on codes or push approvals can be intercepted, while phishing-resistant authentication tied to device and domain verification is more difficult to bypass.

What steps can organizations take to reduce risk?

They can limit QR code usage, monitor for unusual authentication behavior, deploy phishing-resistant authentication, and train staff to verify login prompts through known entry points.