
A sophisticated new phishing-as-a-service (PhaaS) toolkit, dubbed “Sneaky 2FA,” has emerged targeting Microsoft 365 accounts since October 2024. French cybersecurity firm Sekoia has identified approximately 100 domains hosting these phishing pages, indicating growing adoption among cybercriminals.
Key Features:
– Bypasses two-factor authentication (2FA)
– Sold through Telegram for $200/month
– Includes licensed obfuscated source code
– Employs advanced anti-bot and anti-analysis measures
– Uses Cloudflare Turnstile challenges
– Redirects suspicious IPs to Wikipedia pages
Attack Method:
The campaign sends payment receipt emails containing QR codes that redirect victims to fraudulent Microsoft authentication pages. These pages, hosted on compromised WordPress sites, automatically populate email addresses to appear legitimate and use blurred background images to deceive users.
Technical Implementation:
– Requires active subscription verification
– Uses specific User-Agent strings for authentication flow
– Contains code similarities to W3LL Panel phishing kit
– Implements adversary-in-the-middle (AitM) techniques
Security researchers note that some cybercriminals have migrated from other phishing kits like Evilginx2 and Greatness to Sneaky 2FA, highlighting its growing prominence in the cybercrime landscape. The kit’s distinctive User-Agent patterns provide a reliable method for detection.