Cyber security news for all

More

    New ‘Sneaky 2FA’ Phishing Kit Exploits Microsoft 365 Accounts with 2FA Evasion Tactics

    Cybersecurity experts have unveiled a sophisticated adversary-in-the-middle (AitM) phishing kit, dubbed Sneaky 2FA, which targets Microsoft 365 accounts by circumventing two-factor authentication (2FA) protections. This tool has been active since at least October 2024, with the primary goal of capturing credentials and 2FA codes.

    French cybersecurity firm Sekoia identified the phishing kit in the wild in December 2024, tracing it to nearly 100 domains hosting its phishing pages. This distribution highlights its growing appeal among cybercriminals.

    “This phishing kit is offered as a phishing-as-a-service (PhaaS) solution by a cybercrime network called Sneaky Log, operating through a feature-rich bot on Telegram,” Sekoia stated in its analysis. “Subscribers gain access to a licensed, obfuscated version of the code for independent deployment.”

    How Sneaky 2FA Operates

    The phishing campaigns using this kit typically lure victims with emails disguised as payment receipts. These messages contain malicious PDF attachments featuring QR codes that redirect users to Sneaky 2FA phishing pages when scanned.

    These pages are often hosted on compromised infrastructure, including hijacked WordPress sites, to lend credibility to the scam. To increase believability, victims’ email addresses are pre-filled into the fake authentication pages.

    The kit integrates multiple anti-detection measures, such as:

    • Traffic Filtering: Ensuring only legitimate targets are redirected to credential-stealing pages.
    • Cloudflare Turnstile Challenges: Blocking automated traffic.
    • Anti-Analysis Features: Utilizing browser checks to identify and counter analysis attempts through developer tools.

    Notably, any visitor detected using a data center, VPN, proxy, or bot IP address is rerouted to a Microsoft-related Wikipedia page via the href[.]li redirection service. Due to this behavior, TRAC Labs has informally named the phishing tool WikiKit.

    Deceptive Tactics and Licensing Model

    The phishing pages are designed to mimic Microsoft login interfaces, utilizing blurred images of legitimate Microsoft content to trick users into inputting their credentials.

    A critical feature of this kit is its reliance on a central server, which validates an active subscription before allowing its use. This suggests a licensing model where customers pay a monthly fee—advertised at $200—to access the phishing tool.

    Connections to Known Phishing Groups

    Further investigation has revealed similarities between Sneaky 2FA and the W3LL Panel, a phishing kit exposed by Group-IB in 2023. Both employ licensing models requiring periodic checks with a central server, suggesting a shared origin or inspiration. Source code references also link Sneaky 2FA to W3LL Store, a syndicate previously associated with business email compromise (BEC) attacks.

    Moreover, several domains used by Sneaky 2FA were previously tied to other AitM phishing kits like Evilginx2 and Greatness, indicating a migration by some threat actors to this newer, more advanced service.

    Uncommon User-Agent Behavior

    One unique aspect of Sneaky 2FA is its use of hardcoded User-Agent strings that vary depending on the step of the authentication process. According to Sekoia researchers, this behavior deviates from legitimate authentication flows, where consistent User-Agent strings are typically used.

    “Although User-Agent transitions might occur in legitimate scenarios—such as when desktop apps trigger a browser for MFA—the sequence observed with Sneaky 2FA is unrealistic and serves as a strong indicator of its presence,” the researchers noted.


    How to Protect Against Sneaky 2FA Attacks

    To defend against these sophisticated phishing tactics, experts recommend:

    1. Keep Software Updated: Regularly update plugins, especially on platforms like WordPress.
    2. Enable Multi-Layered Authentication: Consider using phishing-resistant MFA methods, such as hardware tokens.
    3. Monitor Suspicious Activity: Check for unauthorized admin accounts or unfamiliar plugins on your websites.
    4. Implement Domain Blocking: Use firewalls to prevent access to known malicious domains.

    With the rise of tools like Sneaky 2FA, proactive measures remain critical in thwarting evolving cyber threats.

    Recent Articles

    Related Stories