Cybersecurity firm Sekoia recently spotted a new phishing kit using an Adversary-in-the-Middle (AitM) technique to target Microsoft 365 accounts. Discovered in December 2024, the Sneaky 2FA phishing kit is a sophisticated phishing-as-a-service (PhaaS) attack from the cybercriminal service known as Sneaky Log. PhaaS lowers the barrier to entry and enables more cybercriminals to launch more attacks, making it a growing threat in today’s landscape.
Microsoft 365 accounts are prime targets for a Sneaky 2FA attack due to features like the use of screenshots of legitimate Microsoft interfaces as blurred background images for the fake Microsoft authentication pages. These accounts, both personal and professional, are at risk of compromise, leading to data loss and more.
How Sneaky 2FA Works
The Sneaky 2FA phishing kit uses a sophisticated AitM technique that intercepts credentials and Two-Factor Authentication (2FA) codes in real-time, enabling attackers to circumvent protection measures that users see as reliably secure. It uses advanced obfuscation and deception methods to trick users and evade layers of security.
These methods include:
- The initial phishing tactic of sending fake payment receipt emails with malicious QR codes.
- Phishing pages being protected by Cloudflare Turnstile or reCAPTCHA, as well as traffic filtering features, to determine if the visitor to the page is a bot, proxy, VPN, or otherwise not a targeted victim.
- Redirecting these non-targeted visitors to Microsoft-related Wikipedia pages, using the href[.]li redirection service to obscure the origin of the redirection.
- Automatically populating the user’s email address into the fake login page, helping to make the page look more legitimate.
- Hosting phishing pages on compromised infrastructure such as WordPress sites, leveraging the legitimate and trusted name to trick the target.
With these tactics, a Sneaky 2FA attack can successfully harvest credentials from targets, offering the attackers access to their accounts. This can lead to further harm for both individuals and businesses, as one user within an organization falling victim to this attack can enable the attackers to infiltrate the network.
The Role of ‘Sneaky Log’ and Telegram Integration
The “Sneaky Log” cybercrime service offers the Sneaky 2FA phishing kit via a bot on Telegram, which provides access to the source code in an obfuscated form. “This phishing kit was developed by one group of threat actors and sold to others, highlighting the collaborative nature of many cyberattacks,” according to Elad Luz, Head of Research at Oasis Security, a New York City-based provider of Non-Human Identity Management (NIM) solutions. “These malicious tools are often the result of layered efforts by different actors, working together and trading resources. The fact that such kits are readily available for purchase is highly concerning.”
This PhaaS is sold as a license-based model, where customers purchase a subscription license via an API in order to gain access to the tool. It is then the customer’s responsibility to deploy it and carry out whatever further actions they want to take with the credentials stolen. The phishing kit includes a range of features like advanced antibot measures to avoid detection by security tools, integration with CAPTCHA services, and bypassing 2FA.
The Growing Adoption of Sneaky 2FA
By early January 2015, Sekoia was able to track around 100 domains associated with Sneaky 2FA, most of which were registered by the attackers purchasing the phishing kit, while others were legitimate domains that had been compromised. The large number of different domains in use in these PhaaS attacks demonstrates an increasing interest in the service from cybercriminals.
The growth of the Sneaky 2FA phishing kit has severe implications for business and enterprise security. Any employee with a Microsoft 365 account can be targeted by a phishing attack, have their credentials stolen, and provide the attackers with an entry into the organization’s networks and systems. This can lead to catastrophic consequences, including data theft, disrupted operations, and malware.
How Organizations Can Defend Against Sneaky 2FA
Protecting against Sneaky 2FA attacks “requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats,” says Stephen Kowski, Field CTO at Pleasanton, California-based SlashNext. Organizations are encouraged to implement robust and layered security measures to counter the sophisticated methods of these attacks.
Organizations should also consider implementing a zero-trust security model, which can mitigate the impacts of AitM attacks by restricting access to sensitive areas of the network. Email security best practices and user awareness training, on the other hand, can go a long way toward preventing these attacks by equipping users to recognize social engineering tactics and avoid phishing attempts.
Conclusion
The Sneaky 2FA phishing kit is indicative of a general trend toward Cybercrime-as-a-Service, which allows cybercriminals to launch their attacks with less initial investment in money and skill. AitM attacks, which put the attacker in between their target and a legitimate interface, are also increasing in popularity as they enable cybercriminals to not only steal targets’ credentials but circumvent traditional security measures by stealing live sessions.
Protecting against these attacks is of the utmost importance, and businesses must take proactive security measures to prevent AitM phishing. CISOs and IT security teams must understand how these attacks work and why they are successful in order to implement sufficient security to defend against phishing and mitigate the risks involved.
