Cisco Duo Third-Party Compromise

Share :

On April 16, 2024, Cisco Duo informed affected customers of a breach involving their SMS and VOIP multi-factor authentication (MFA) service provider. The breach occurred on April 1st due to a phishing attack, allowing unauthorized access to the provider’s systems, including SMS and VoIP MFA message logs for specific Duo accounts between March 1st and March 31st, 2024. Though the threat actor accessed message logs, they did not obtain message content. The exposed data included phone numbers, carriers, location data, and timestamps, potentially enabling targeted phishing campaigns. 


Recommendation #1: Obtain Message Logs if Impacted

Cisco Duo has stated that impacted customers can reach out to obtain a copy of the stolen message logs. Arctic Wolf recommends obtaining a copy of these logs in order to understand the impact of this compromise to your organization.  

Notify impacted users and ensure they remain vigilant, reporting any suspected social engineering or other similar attacks to the appropriate security team.  

Recommendation #2: Implement Security Awareness Training

The threat actor successfully acquired sensitive information including phone numbers, carriers, location data, and timestamps, which could be used to create tailored social engineering attacks. This compromised data can be leveraged by threat actors to execute various attacks such as phishing (via email), smishing (via SMS), or vishing (via voice calls), all of which can lead to unauthorized access to company resources.  

Arctic Wolf strongly recommends the urgent implementation of comprehensive security awareness training campaigns. These initiatives are specifically designed to empower users with the skills necessary to swiftly recognize and effectively report any suspicious activities, particularly those associated with sophisticated phishing campaigns. 


  1. Cisco Duo Advisory 

See other important security bulletins from Arctic Wolf.

Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter