Sneaky Proof of Concept Phish Bypasses MFA, OTP and Yubi with a Social Engineering Attack

A new proof of concept social engineering/phishing attack bypasses MFA and allegedly “Yubikeys can’t save you because you’re authenticating to the REAL website not a phishing website.” according to an article in Bleeping Computer.

Blockquote

“this new social engineering attack is called WebView2-Cookie-Stealer and consists of a WebView2 executable that, when launched, opens up a legitimate website’s login form inside the application.
In the new attack by mr.d0x, the proof-of-concept executable will open the legitimate Microsoft login form using the embedded WebView2 control.”

Blockquote

However, the attack requires social engineering the user to download the malicious payload in Microsoft Edge.
Bleeping Computer explains the exploit