As Gmail And Microsoft 2FA Security Bypassed — Do This One Thing Now
Enable passkeys as 2FA bypass attacks confirmed.
I'm sorry to have to tell you this, but if you didn't already realize, you are under attack. No matter the operating system you use, the applications you rely upon or the faith you have in Big Tech to protect you, attackers are coming for your accounts and your data. The higher the profile of those accounts, the more valuable they are and the more hacking scrutiny they are under. Which is why we see security warnings involving such things as Apple ID attacks, X social media data leaks, and both Android and iPhone smartphone FBI defense advice. It is, however, Gmail and Microsoft that are most valued by hackers for the data that a successful account hack can expose. News of the evolution of an already perilous threat that can bypass 2FA protections that both Google and Microsoft have in place is, therefore, naturally of huge concern. Here's what you need to know and what both tech giants say you must do right now.
Tycoon 2FA is not a new threat, far from it, in fact. As I reported March 26, 2024, the adversary-in-the-middle attack kit first came to the attention of threat intelligence experts in 2023. In March 2024, however, the criminal developers behind it turned the threat dial up a notch or two by releasing an update that specifically targeted Microsoft 365 and Gmail account holders and employed advanced obfuscation and anti-detection capabilities.
Those attackers have, it seems, now turned the dial to 11.
New intelligence from security researchers at Trustwave has revealed even more sophisticated evasion techniques being deployed against Gmail and Microsoft users in the latest 2025 attacks. According to the new report's authors, Trustwave's Phil Hay and Rodel Mendrez, these include 'using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.'
While conceding that none of these techniques are groundbreaking, individually at least, combining them does pose a new threat that makes detection and response even more difficult. Custom CAPTCHA visuals in HTMLK5, for example, can add legitimacy to phishing attempts, Unicode and Proxy-based obfuscation can delay detection, and anti-debugging behaviors hide malicious activity from automated tools.
Trustwave recommended that security teams should 'consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns' in order to stay one step ahead of the Tycoon 2FA attackers. Google and Microsoft, however, have some more straightforward advice for ordinary users when it comes to protecting themselves and their valuable accounts from the 2FA bypass hackers.
The simple truth is that, from the end user defensive posture perspective, the mitigation advice when it comes to Tycoon 2FA attacks is the same now as it was in 2024, namely, use passkeys.
A Google spokesperson said that 'passkeys substantially reduce the impact of phishing and other social engineering attacks. Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.'
Meanwhile, a Microsoft spokesperson said, 'As a security best practice, we encourage customers to always practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. In addition, we recommend switching to Passkeys wherever possible and using authentication apps such as Microsoft Authenticator, which warn users about potential phishing attempts.'
So, there you have it: use passkeys to protect your Gmail and Microsoft accounts, not only against this 2FA bypass attack but also against other potential threats. What are you waiting for, do it now.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Insider
an hour ago
- Business Insider
Google (GOOGL) Is Training AI on YouTube Videos, and Creators Didn't Even Know
Tech giant Google (GOOGL) is using part of its huge library of YouTube videos (around 20 billion in total) to train AI models like Gemini and Veo 3, according to CNBC. Although the company says it only uses a portion of the videos and follows agreements with creators and media companies, this still means that billions of minutes of content are used for training. Unsurprisingly, YouTube says that it has always used content to improve its products and now has protections to help creators control how their image is used in the age of AI. However, creators can't stop Google from using their videos for its own AI models, and many weren't aware this was happening. Confident Investing Starts Here: As a result, some experts and creators are worried. Indeed, tools like Trace ID from a company called Vermillio, which is used to detect overlaps between AI-generated videos and original ones, have found that Veo 3 has created videos very similar to existing YouTube content. One example showed a Veo 3 video closely matched a video from creator Brodie Moss, with a score of 71 for the video and over 90 for just the audio. While some creators welcome the competition, others feel their work is being used unfairly, without credit, consent, or payment. This news comes at a time when the entertainment world is pushing back, as Disney (DIS) and Universal (CMCSA) recently filed a lawsuit against AI company Midjourney for copyright issues. Google, meanwhile, says it will take legal responsibility if users face copyright complaints over content created with Veo 3. YouTube has also partnered with the Creative Artists Agency to help top talent manage how their image is used in AI. But some say YouTube's tools aren't reliable. In fact, U.S. lawmakers, like Senator Josh Hawley, argue that stronger rights are needed to protect people's images and creations as AI advances. Is Google Stock a Good Buy? Turning to Wall Street, analysts have a Strong Buy consensus rating on GOOGL stock based on 29 Buys and nine Holds assigned in the past three months. Furthermore, the average GOOGL price target of $199.11 per share implies 14.88% upside potential from current levels.
The Hill
an hour ago
- The Hill
ChatGPT use linked to cognitive decline: MIT research
ChatGPT can harm an individual's critical thinking over time, a new study suggests. Researchers at MIT's Media Lab asked subjects to write several SAT essays and separated subjects into three groups — using OpenAI's ChatGPT, using Google's search engine and using nothing, which they called the 'brain‑only' group. Each subject's brain was monitored through electroencephalography (EEG), which measured the writer's brain activity through multiple regions in the brain. They discovered that subjects who used ChatGPT over a few months had the lowest brain engagement and 'consistently underperformed at neural, linguistic, and behavioral levels,' according to the study. The study found that the ChatGPT group initially used the large language model, or LLM, to ask structural questions for their essay, but near the end of the study, they were more likely to copy and paste their essay. Those who used Google's search engine were found to have moderate brain engagement, but the 'brain-only' group showed the 'strongest, wide-ranging networks.' The findings suggest that using LLMs can harm a user's cognitive function over time, especially in younger users. It comes as educators continue to navigate teaching when AI is increasingly accessible for cheating. 'What really motivated me to put it out now before waiting for a full peer review is that I am afraid in 6-8 months, there will be some policymaker who decides, 'let's do GPT kindergarten.' I think that would be absolutely bad and detrimental,' the study's main author Nataliya Kosmyna told TIME. 'Developing brains are at the highest risk.' However, using AI in education doesn't appear to be slowing down. In April, President Trump signed an executive order that aims to incorporate AI into U.S. classrooms. 'The basic idea of this executive order is to ensure that we properly train the workforce of the future by ensuring that school children, young Americans, are adequately trained in AI tools, so that they can be competitive in the economy years from now into the future, as AI becomes a bigger and bigger deal,' Will Scharf, White House staff secretary, said at the time.
Forbes
2 hours ago
- Forbes
Study Shows LLM Conversion Rate Is 9x Better — AEO Is Coming
Bing, OpenAI, Microsoft and Google logos displayed on a phone screen and a laptop keyboard are seen ... More in this multiple exposure illustration photo taken in Krakow, Poland on February 8, 2023. (Photo by Jakub Porzycki/NurPhoto via Getty Images) Some predict that by 2028, more people will discover products and information through large language models (LLMs) like ChatGPT and Gemini than through traditional search engines. But based on research I conducted with Cornell Master's students, that shift is happening much faster. LLM-driven traffic is already starting to outperform traditional search — not in volume, but in value. Traffic from LLMs converts at nearly 9x higher rates than traditional search. This is the biggest disruption to search since the dawn of the internet. If you're a brand or publisher, now is the time to adapt your SEO playbook. Oh, there is no 'S' — it's now called Answer Engine Optimization (AEO) Back in January, I predicted that traditional search was on its way out. Just six months later, the shift is already visible. In my UX research, I classify shoppers into three categories: It's easy to see how all these needs can now be met through a conversation with LLMs like ChatGPT, Claude, Gemini, or Perplexity. Say you're looking for an isotonic drink powder. Instead of scanning blogs, watching videos, or scrolling endlessly, you now ask ChatGPT — and it responds with direct recommendations: Ask about ketogenic-friendly options, and it will go even further — offering details on ingredients, comparisons, and alternatives. Staff Sergeant Alex Mackinnon from the Royal Electrical and Mechanical Engineers holds a sachet of ... More isotonic drink, Tuesday September 20, 2005, at Bramley Training Area near Basingstoke, where the Army announced it will be including the sports drink in its ration packs. The powdered drink will be incorporated in 24-hour ration packs after the its producer, GlaxoSmithKline, won the three-year contract in a tendering process. See PA Story DEFENCE Drink. PRESS ASSOCIATION Photo. Photo credit should read: Chris Ison/PA (Photo by Chris Ison - PA Images/PA Images via Getty Images) This isn't search — it's advice. And when users follow those links or act on suggestions, they convert at dramatically higher rates compared to normal search traffic. In my studies, LLM-generated traffic behaves more like a personal recommendation than a keyword query. But here's the catch: if your brand isn't listed, you're invisible. The customer won't even consider you. Good numbers are hard to come by. LLM traffic, like what comes from ChatGPT, doesn't always leave a clean trail — users might just copy and paste a product name and head to Amazon or another site. To get better data, we created a ChatGPT-style experience inside the site search of several e-commerce stores. In A/B tests, we compared regular keyword search with an AI-guided, conversational search experience. The difference was stunning: almost 9x higher conversion. Yes, nine times. But it's not just conversion that's changing — the way people search is evolving, too. In the past, users typed one or two words like 'camera.' Now, when they're shown more natural and detailed responses, they respond in kind. We're seeing queries like: 'What's a compact camera for wildlife photography that fits in a carry-on?' Semrush backs this up with broader data: In our interviews, shoppers said they felt more 'understood' and 'better about their purchase.' It didn't feel like a search engine. It felt like getting advice from a knowledgeable friend. If you scale that behavior to external LLM traffic — not just on-site — the value of that traffic already rivals what you get from SEO. For brands, this means it's time to rethink how you show up in these conversations. That's what AEO — Answer Engine Optimization — is all about. Brands need to act. If you're not being cited by LLMs, you're becoming increasingly invisible. To get picked up by an LLM, you need to understand how these models learn from content. Masking in ML Training LLMs are pattern-completion engines. I often use the example of 'Life is like a box of ___' in my online certificate from Cornell. Correct. The answer is Chocolate. Machines learn the right answer through trial and error. This approach is called masking. To show up in an LLM's response, your content needs to become part of its masked training data. LLMs look for authoritative, helpful, and authentic content. Since they predict the next word in a conversation with a user, they favor content written in a conversational or Q&A format. For brands a new playbook is emerging AEO. I outlined all what brands need to know. AEO is just the beginning. Two even bigger shifts are on the horizon — and both will deeply impact how brands show up in the age of AI: Paid Ads in LLMs and Model Context Protocol and agents that act on behalf of the LLM. The future is already underway. Ping me on LinkedIn if you want to continue the conversation.
