Varonis' security researchers recently uncovered a promotional image on a cybercrime network showcasing a service called “SessionShark O365 2FA/MFA.” SessionShark is a phishing-as-a-service toolkit built to bypass Microsoft Office 365 multifactor authentication (MFA) protections.
While the offering is clearly intended for threat actors, its creators attempt to frame it as “for educational purposes.” In this blog post, we break down SessionShark's key messaging and features — from its MFA-bypassing capabilities to its stealth techniques and commercial pricing — and explore the implications for defenders.
A phishing kit built to defeat 2FA/MFA
At its core, SessionShark is an adversary-in-the-middle (AiTM) phishing kit that can steal valid user session tokens to defeat two-factor authentication on Microsoft 365 accounts. The ad explicitly claims the service can “intercept sensitive data, including login credentials and session cookies,” enabling an attacker to hijack authenticated sessions.
The primary interface for SessionShark
The primary interface for SessionShark
By capturing a victim’s session cookie (the token that proves they passed MFA), attackers can bypass MFA controls and access the account without needing the one-time passcode. This technique has been observed in other recent phishing kits (for example, Tycoon 2FA), and it effectively renders MFA useless if the initial credential phishing succeeds.
“Advanced” antibot and stealth features
The creators of SessionShark advertise a range of anti-detection and stealth capabilities intended to maximize the success of their phishing campaigns. The promotional image identifies several features designed to thwart security scanners and researchers.
The features of SessionShark
The features of SessionShark
1. Advanced antibot technology
The kit includes techniques to avoid detection by bots and automated security scanners. The ad mentions implementing “human verification techniques to prevent redirection to warning pages or flagging by security systems.”
In practice, this likely means the phishing page will present a CAPTCHA or other challenge to ensure the visitor is a real human before showing the fake login – a common trick to block web-crawling scanners from seeing the phishing content. By filtering out automated traffic (from security bots or sandboxes), SessionShark helps ensure the phishing site isn’t automatically reported or blocked.
2. Cloudflare compatibility
According to the ad, SessionShark is built to integrate with Cloudflare’s services, “tailored [for] VPS IP protections while maintaining stealth and functionality. " This suggests the phishing kit can be deployed behind Cloudflare, leveraging Cloudflare’s network to mask the kit’s actual hosting server and fend off takedowns or IP-based blocking. Many threat actors use Cloudflare proxying to hide their infrastructure; SessionShark makes this a supported configuration that is out of the box, lowering the technical bar for attackers.
3. Enhanced stealth capabilities
Beyond antibot measures, SessionShark touts “evading detection by major threat intelligence feeds and anti-phishing systems.” The developers have added custom scripts and HTTP headers to minimize visibility to security scanners.
This likely means the kit might block known threat intel crawlers, use evasive HTML/JS code (to prevent signature-based detection), or dynamically change content. Such stealth features imply that the kit was tested against security solutions to reduce chances of being flagged, demonstrating the growing sophistication of criminal phishing tools.
4. Realistic Office 365 pages
A successful credential theft still depends on tricking the victim. SessionShark claims to “mimic the Microsoft 365 login interface with high fidelity” and “dynamically adapts to various conditions for increased believability.” In other words, the phishing pages look just like real Microsoft login screens and may even seamlessly handle different login workflows or error messages. By making the user experience convincing and contextually appropriate, the kit helps attackers harvest credentials even from wary users.
5. Comprehensive logging
SessionShark includes a logging panel for operators and Telegram bot integration. The ad describes “Instant Session Capturing” with all logs sent to a Telegram bot in real time. Integration with Telegram means a threat actor can get an alert with the victim’s email, password, and session cookie on their phone, as soon as someone falls for the phish.
This kind of convenient exfiltration is relatively common in phishing kits. Some widely used kits like Tycoon 2FA (as previously mentioned) are also sold through Telegram channels and deliver live results to Telegram. For defenders, this means once a victim submits credentials, the attacker may take over the account within seconds, long before traditional incident response can react.
Criminal marketing: “Educational” spin to subscriptions
One of the most interesting aspects of SessionShark is its marketing, mirroring legitimate software sales tactics. The language attempts to legitimize the tool by framing it as an “ethical hacking” or educational product while advertising features clearly meant for illicit abuse.
This duplicitous marketing strategy is common in underground forums. It provides a thin veneer of deniability (to avoid forum bans or legal issues) but fools no one about the true purpose. Phrases like “for educational purposes” or “ethical hacking perspective” in the ad copy are a wink and nod to buyers that this is a hacking tool, not a classroom demo.
The ‘educational’ terms of service for SessionShark
The ‘educational’ terms of service for SessionShark
This phishing-kit-as-a-service approach indicates a broader trend in the cybercrime ecosystem: threat actors package and sell their tools with user experience and scalability in mind. Just as ransomware shifted to a RaaS model, phishing kits are often subscription-based, ensuring the developers get a steady revenue stream and a growing user base.
For buyers, the appeal is getting a turnkey solution with updates and support. In the case of SessionShark, having a Telegram support channel means criminals can get help setting up or troubleshooting the kit — essentially, customer service for a hacking product.
Get proactive protection with Varonis
SessionShark is another example of how cybercriminals innovate and commercialize their tactics, eroding the security benefits of MFA through clever phishing schemes. It highlights the importance of staying ahead of threat actor techniques. The good news is that as attackers up their game, so can defenders.
Varonis is at the forefront of this battle. Our AI-driven phishing defense solutions are designed to detect and block credential phishing kits and infrastructure, including sophisticated MFA-bypass attacks, before they can ensnare your users.
By leveraging broad threat telemetry and detection algorithms, Varonis detects these threats and protects your organization even when attackers deploy advanced tools like SessionShark that slip past traditional security.
You need a solution you can trust to stop emerging phishing-as-a-service threats. Contact Varonis to learn how our technology provides 360° phishing defense so that you can stay one step ahead of even the most advanced phishing kits.
Don't wait for a breach to occur
With Varonis, you can quickly secure your organization and stay ahead of evolving phishing threats before they impact your business. Schedule a free Data Risk Assessment today.
