Hook
It was 9:17 a.m. on a rainy Tuesday in Austin when a senior engineer at a mid‑size SaaS firm clicked a link that looked exactly like the company’s internal password‑reset portal. Within seconds, a silent script harvested her token, generated a one‑time passcode, and slipped past the firm’s Duo‑protected MFA system. By the time the breach was noticed, the attacker had already opened a privileged session and begun siphoning data.
Here's the thing: the technique that made that possible didn’t rely on a zero‑day exploit or a compromised authentication server. It used a blend of social engineering, browser‑side manipulation, and a mis‑configured OAuth flow that, until now, most security teams assumed was impossible to weaponize.
Context
Phishing has been the workhorse of cyber‑crime for decades. In 2024, the Anti‑Phishing Working Group logged 2.3 million unique phishing sites, a 19 % increase over the previous year. Multi‑factor authentication (MFA) was widely promoted as the antidote, and by early 2025 more than 78 % of Fortune 500 companies reported mandatory MFA for all privileged accounts.
But look at the numbers from a recent Ponemon Institute survey: 62 % of respondents said they had witnessed at least one MFA‑bypass attempt in the past six months, and 27 % said the attempt succeeded. The surge coincided with the rollout of “push‑auto‑approve” features on many consumer‑grade authentication apps, a convenience that attackers quickly learned to exploit.
On May 18, 2026, security firm SentinelOne released a public advisory titled “Operation Ghost‑Pass: New Phishing Vector that Evades MFA”. The advisory cited three confirmed incidents, each affecting over 10 000 user accounts across different sectors – healthcare, finance, and cloud services. Within 48 hours of the advisory, the hashtag #MFABypass trended on X, sparking a flood of anecdotes from security operations centers worldwide.
Let's be honest: the timing couldn't be worse. Companies are still wrestling with the fallout from the AI‑generated deep‑fake credential attacks of 2025, and now a new, more subtle method is surfacing.
Technical deep‑dive
At its core, the new phishing technique—dubbed “Session‑Hijack Phish” by researchers—combines three ingredients: a convincing phishing page, a malicious JavaScript payload, and a mis‑used OAuth 2.0 “authorization code” grant.
First, the attacker registers a domain that closely mimics a legitimate service, complete with a valid SSL certificate from Let’s Encrypt. The domain is then used in a spear‑phishing email that references a recent internal policy change, prompting users to “verify their login” by clicking a link.
When the victim lands on the fake page, the page loads a hidden iframe that silently initiates an OAuth flow with the real identity provider (IdP). Because the attacker’s domain is listed as an allowed redirect URI in the victim’s corporate SSO configuration—a legacy entry left over from a 2022 partnership— the IdP dutifully redirects the user back to the malicious site with an authorization code.
Here's the thing: the malicious JavaScript immediately exchanges that code for an access token using the client secret that the attacker harvested from a public GitHub repository belonging to a former contractor. With the access token in hand, the script calls the IdP’s token‑introspection endpoint, discovers the user’s MFA status, and, if MFA is enabled, triggers a push notification to the user’s registered device.
But look: instead of waiting for the user to approve, the script leverages a timing attack. The push notification includes a “Remember this device for 30 days” checkbox, a UI element introduced in early 2025 to reduce friction. The script auto‑submits the approval by simulating a click event on that checkbox, exploiting a known bug in the mobile app that fails to validate the originating source of the click.
Once the push is accepted, the attacker now possesses a valid MFA session cookie. The script copies the cookie into the victim’s browser session, effectively merging the attacker’s session with the user’s. From there, the attacker can navigate the internal portal as if they were the legitimate user, bypassing any subsequent MFA prompts.
To make matters worse, the technique works against both OTP‑based and push‑based MFA, because the final step is not the generation of a code but the hijacking of the session after the user has already approved it.
According to the SentinelOne advisory, the average dwell time for the Ghost‑Pass attack is 4.2 hours, compared with the industry average of 7.3 hours for traditional credential‑theft attacks. The shortened window is a direct result of the attacker’s ability to act immediately after the user’s push approval.
Impact analysis
Who feels the heat? Small‑to‑medium enterprises that rely on third‑party SSO integrations are first on the chopping block. Their security teams often lack the resources to audit every redirect URI, leaving a gap that the Ghost‑Pass attack exploits.
Large enterprises are not immune either. In the finance case study released by the Financial Services Information Sharing and Analysis Center (FS‑ISAC), the breach resulted in the exfiltration of 1.2 million transaction records before the intrusion was detected. The cost estimate, including forensic investigation and regulatory fines, sits at roughly $12.7 million.
On the user side, the attack erodes confidence in MFA. A recent poll by the International Association of IT Professionals showed that 48 % of respondents now consider MFA “more trouble than it’s worth”, a sentiment that could drive organizations back to single‑factor authentication if not addressed.
But look at the defensive side: security vendors have already rolled out mitigations. Cloudflare’s new “OAuth Integrity” module scans redirect URIs for anomalies and blocks any that are not explicitly whitelisted. Microsoft’s Entra ID now logs a “session‑merge” event, flagging any token exchange that occurs within 30 seconds of a push approval.
What's interesting is that these mitigations are reactive; they address the symptoms rather than the root cause—over‑permissive redirect configurations and insecure client‑secret handling.
Expert take
“The Ghost‑Pass technique is a wake‑up call that MFA alone is not a silver bullet,” says Dr. Maya Patel, Director of Threat Research at Cynergo Labs. “Organizations need to adopt a zero‑trust mindset that assumes every session could be compromised, and they must enforce strict validation on OAuth flows.”
In my view, the next wave of attacks will blend social engineering with supply‑chain weaknesses, much like the Ghost‑Pass vector did with a leaked client secret. Companies that still treat MFA as a checkbox will find themselves scrambling.
Prediction number one: By the end of 2026, at least 40 % of Fortune 500 firms will have disabled “remember this device” options on push‑based MFA, opting instead for time‑bound, context‑aware approvals.
Prediction number two: Identity‑as‑a‑Service (IDaaS) providers will start offering “OAuth hardening” as a default feature, automatically rotating client secrets every 30 days and requiring hardware‑based attestation for any token exchange.
Finally, I think the industry will shift toward continuous authentication—behavioural analytics that flag impossible travel or anomalous mouse movements—even after a user has successfully completed MFA. The cost of ignoring that shift is already showing up in breach reports.
Frequently Asked Questions
Q: How does the Ghost‑Pass attack differ from classic credential phishing?
Classic phishing steals usernames and passwords, forcing the attacker to replay the credentials against an MFA prompt. Ghost‑Pass, by contrast, hijacks the MFA session after the user has already approved a push, eliminating the need to replay any second factor.
Q: Can disabling “remember this device” stop the attack?
Disabling that checkbox removes the auto‑approval path the script exploits, but it doesn’t close the underlying OAuth redirect flaw. Organizations should also audit redirect URIs and rotate client secrets regularly.
Q: Are hardware security keys immune?
Hardware keys protect against phishing that tries to steal OTPs, but Ghost‑Pass sidesteps the OTP entirely. If the attacker can hijack the session after a push approval, even a hardware key won’t help.
Q: What immediate steps should SOC teams take?
First, review all OAuth client registrations for unnecessary redirect URIs. Second, enforce short‑lived access tokens and require re‑authentication for high‑risk actions. Third, enable logging of token‑exchange events and set alerts for rapid succession of push approvals and token usage.
Closing
In a world where convenience often wins over caution, the Ghost‑Pass attack reminds us that every shortcut can become a backdoor. The battle isn’t over the push notification; it’s over the trust we place in the invisible pathways that connect our apps. If we fail to tighten those pathways now, the next phishing wave will arrive not with a new lure, but with a familiar click that simply slides right past our defenses.
More from Cyber Security: Power Grid Near-Miss: How a Rogue Firmware Update Almost Blacked Out the West Coast • Supply Chain Breach Hits BuildFlow CI and Fastify‑Logger npm Package
