According to researchers at Microsoft, a massive phishing campaign that can steal credentials despite the implementation of multi-factor authentication has already attempted to compromise more than 10,000 organizations. The adversary-in-the-middle style attack means that the attackers can hijack sign in sessions and access victim mailboxes to launch additional attacks against other targets. The campaign has been active since last fall, according to Microsoft’s 365 Defender Research Team. Microsoft released a report detailing the threat on Tuesday.

In the report, Microsoft explains how the threat actor deploys a proxy server between a target user and the website the user is attempting to visit. By impersonating the site, the attacker is able to steal credentials. The attack does not need to leverage any vulnerability to be successful, making it particularly dangerous. In addition, the type of MFA used by a given corporate email system does not matter for the attack as the type of attack steals the session cookie. MFA should continue to be used, however, it is not a foolproof system.