TechHorizon Consulting

Sneaky 2FA: A New Breed of Phishing Kits Targeting Microsoft 365 Accounts

Jan 22, 2025By Eli Junco

EJ

The cybersecurity landscape continues to evolve, and with it, the tactics of threat actors aiming to compromise sensitive information. The latest threat, a phishing kit dubbed "Sneaky 2FA," has caught the attention of researchers for its ability to bypass two-factor authentication (2FA) and steal credentials from Microsoft 365 accounts. This kit, first observed in the wild in December 2024, highlights the persistent ingenuity of cybercriminals and underscores the need for robust defenses.

What is Sneaky 2FA?


French cybersecurity firm Sekoia uncovered the Sneaky 2FA phishing kit while analyzing nearly 100 domains hosting its phishing pages. The kit, marketed as phishing-as-a-service (PhaaS) by the group "Sneaky Log," is available for $200 per month. It includes obfuscated source code that allows threat actors to deploy it independently. Sneaky 2FA primarily targets Microsoft 365 users, aiming to harvest credentials and bypass 2FA protections.

a screenshot of a phone

How Sneaky 2FA Works


The phishing campaigns associated with Sneaky 2FA often use payment receipt-themed emails containing malicious PDF attachments. These PDFs feature QR codes that redirect users to phishing pages designed to mimic legitimate Microsoft login screens. To increase their credibility, these pages automatically populate victims' email addresses.

Once a victim enters their credentials, the phishing kit uses an adversary-in-the-middle (AitM) approach to intercept authentication requests and responses. This allows the attackers to capture both the victim's password and their 2FA code in real time. The intercepted session tokens are then used to gain unauthorized access to the victim's account without raising immediate suspicion.

Sneaky 2FA employs several anti-detection techniques, including:

  • Anti-bot measures: Traffic filtering and Cloudflare Turnstile challenges to ensure only genuine users are targeted.
  • Developer tool resistance: Techniques to detect and resist analysis attempts via web browser developer tools.
  • Redirection to legitimate content: Victims using suspicious IP addresses are sent to legitimate Microsoft-related Wikipedia pages, earning the kit the nickname "WikiKit."


The AitM Connection and PhaaS Model

What is Phishing as a service?

This is a business where cybercriminals sell tools and services to help others launch phishing attacks. These services include fake websites, phishing email templates, and even guides on how to trick people into giving up sensitive information like passwords or credit card details.



Sneaky 2FA operates as an adversary-in-the-middle (AitM) phishing tool, relaying authentication requests between victims and legitimate services to intercept login credentials and 2FA codes. It shares similarities with previously known kits like Evilginx2 and Greatness, suggesting an evolution in phishing technology. The subscription-based licensing model ensures only authorized customers can use the kit, with regular checks against a central server.

Ransomware Cyber Security Email Phishing Encrypted Technology, Digital Information Protected Secured

Protecting Against Sneaky 2FA


As phishing kits like Sneaky 2FA grow more sophisticated, businesses must take proactive measures to protect themselves. Below are ten actionable strategies to help avoid falling victim to such threats:

  • Educate Employees: Provide regular training to help employees recognize phishing attempts, including suspicious links and QR codes.
  • Implement Robust Email Security: Use advanced email filtering solutions to block phishing emails before they reach users' inboxes.
  • Enable Advanced Authentication: Transition to phishing-resistant MFA options, such as hardware security keys or biometrics, rather than SMS-based 2FA.
  • Update Software and Plugins: Regularly patch WordPress sites and other web assets to prevent their exploitation in phishing campaigns.
  • Utilize Network Monitoring: Monitor traffic for unusual activity, such as redirects to external domains or unauthorized login attempts.
  • Verify Suspicious Communications: Encourage employees to confirm the legitimacy of emails or requests with IT departments or other trusted sources.
  • Restrict Access to External Domains: Use firewalls to block access to malicious domains and regions commonly associated with phishing activity.
  • Foster a Cybersecurity Culture: Promote awareness and vigilance across the organization to ensure everyone understands their role in preventing breaches.

These strategies can be difficult to implement on your own. If you feel you could use some assistance, TechHorizon has the tools and expertise to help you get these strategies in place. Partnering with us ensures your organization is equipped to defend against sophisticated phishing campaigns and other cyber threats, allowing you to focus on your core business activities while we handle the complexities of cybersecurity.


Resources 

https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html