The recent phishing attacks using Semrush ads to compromise Google accounts serve as a stark reminder of the vulnerabilities inherent in our current session management practices.
Malicious actors used fake Semrush ads to harvest victims’ Google account logins and data. A user would be greeted by a fraudulent Semrush login page displaying the “Log in with Google” option. Since Semrush accounts are often linked with high-value Google accounts, when users logged in, hackers were able to compromise data in both linked accounts. With this information, a threat actor could pose as the business and deceive vendors or partners into sending payments.
In collaboration with Verizon on their 2025 DBIR, Flare found that 88% of web application attacks started with the use of stolen credentials. In some cases, these served as both the first and only action, while other times, they were one piece of a larger attack chain. IBM reports the global average cost of a data breach is $4.88 million. Understanding the vulnerabilities in session management can help us ensure businesses avoid these costs.
The Illusion of Security in MFA
Phishing attacks that harvest session tokens render multi-factor authentication (MFA) less effective because they enable hackers to impersonate users.
To access these tokens, attackers can create phishing emails or fake login pages that mimic legitimate services, like the Semrush case, and prompt the user to click “Log in.” When they do, malicious actors redirect them to the OAuth authorization endpoint of the real provider (e.g., accounts.google.com), blindsiding users with a familiar and trusted login screen.
Once users enter their passwords and any MFA, they are presented with a screen requesting consent to specific user data permissions (such as access to calendars, emails, and files). If the user clicks “Allow,” the legitimate OAuth provider generates an authorization code and redirects the user back to the attacker’s malicious application. The attacker can use this token to access the user’s data within the scope of the granted permissions, without needing to enter credentials or bypass MFA again.
Automated Large-Scale Credential Harvesting
Once hackers find tried-and-tested methods to capture the data they want, such as login credentials, they automate the process.
We’re talking automated phishing emails, automated scripts that set up malicious applications, and automated scripts that sift through large volumes of stolen data to validate credentials. They will even try their luck at accessing numerous other sites with these same username/password combinations using automated tools (bots) to find working pairs due to password reuse.
Once hackers have access to workers’ emails, the application of automated processes gets even more savvy. They can use AI to analyze patterns in writing styles, draft messages mimicking them, and automatically send personalized blasts that can include malicious links or attached malware. At this scale, they are bound to win over a few more victims.
With AI and automation behind phishing attacks, researchers in a January study achieved a 54% click-through rate (CTR) using fully AI-automated emails. The engagement rate suggests that over half of an organization could be easily enticed into giving away credentials from one effortless, automated blast.
Proactive Defense Mechanisms
Cybersecurity leaders must evaluate their defense strategy from multiple angles. They must be where the hackers are, to stay up-to-date with the latest attack forms and monitor credential leakage. They must also try to break their own security methods—if they can hack their way in, so can malicious actors. Most importantly, they must keep employees informed on the latest attacks, what to look out for, how to stay protected with password and session policies, and how to report suspicious behavior.
Flare found that in 2024, 46% of systems compromised with an infostealer that had possible corporate login data were non-managed devices. Bring-your-own-device (BYOD) schemes have grown for multiple reasons, including reduced overheads and the ability for employees to use IT they feel comfortable with, whether in the office or at home. However, they are more difficult to manage, and not all users might be comfortable with traditional full-device management.
Whether employees use personal or corporate devices, companies can implement real-time detection and response to corporate application session anomalies. Unregistered geographic locations, unrecognized devices, surges in data access, and failed login attempts all raise alarm bells. When anomalies are detected, companies can automate session termination and re-authentication, and alert users and IT of suspicious activity. Companies can also automate session timeouts based on activity risk levels. For example, sessions where users perform financial transactions would timeout quicker than those sending emails.
Even with real-time session monitoring and dynamic timeouts, credential leakage is still a risk. Cybersecurity teams keep their fingers on the pulse by monitoring the clear, deep, and dark web and illicit communities found in communication tools like Telegram.
Cybercriminals use dark web marketplaces to sell or trade malware, phishing panels, and credentials. Security analysts can employ a Tor browser to hide in these forums and marketplaces, looking for mentions of their organization’s domains and company credentials to ensure their data isn’t being shared for malicious purposes.
Cybersecurity is becoming increasingly advanced, and so are the attacks against it. IT teams must always stay one step ahead and keep their employees in the loop to help them avoid making innocent and costly mistakes. Frequent security briefings, multi-layered defense strategies, and dark web monitoring can help IT teams keep their company data safe.
Join our LinkedIn group Information Security Community!
