New Phishing Kit ‘Sneaky 2FA’ Targets Microsoft 365 Accounts
By Ravie Lakshmanan, January 17, 2025
Cybersecurity researchers have identified a new adversary-in-the-middle (AitM) phishing kit, dubbed ‘Sneaky 2FA’, which is designed to target Microsoft 365 accounts and steal credentials and two-factor authentication (2FA) codes since at least October 2024.
The Phishing Kit’s Origins
The Sneaky 2FA phishing kit has been detected by French cybersecurity company Sekoia, which identified it in the wild in December. The company has identified nearly 100 domains hosting Sneaky 2FA phishing pages, suggesting moderate adoption by threat actors.
Phishing-as-a-Service (PhaaS)
The Sneaky 2FA phishing kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service ‘Sneaky Log,’ which operates through a fully-featured bot on Telegram. Customers of the service receive an archive of obfuscated code to host on their own servers. Several desobfuscated/cracked versions of W3LL have been circulated in the past years.
Connection to Known Phishing Kits
Some of the Sneaky 2FA domains were previously associated with known AitM phishing kits, such as Evilginx2 and Greatness. This suggests that at least a few cyber criminals have migrated to the new service.
Detection Method
Sekoia researchers have detected the phishing kit using different hardcoded User-Agent strings for the HTTP requests depending on the step of the authentication flow. This behavior is rare in legitimate user authentication, as a user would have to perform successive steps of the authentication from different web browsers.
Conclusion
The Sneaky 2FA phishing kit is a sophisticated attack that targets Microsoft 365 accounts and steals credentials and 2FA codes. Its use of different User-Agent strings for the HTTP requests makes it a high-fidelity detection of the kit.
Stay Up-to-Date
Follow us on Twitter and LinkedIn to read more exclusive content we post.
