Security researchers have found a new phishing campaign that gives hackers access to user data without a password.

According to a blog post by Cofense, the tactic uses the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data.

Cofense researcher Elmer Hernandez said that the attack is not, “a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped,” he said. “Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.”