Introduction
The landscape of cybersecurity threats continues to evolve, with adversaries deploying increasingly sophisticated methods to compromise sensitive information. Among the latest threats, cybersecurity researchers have uncovered a new adversary-in-the-middle (AitM) phishing kit, aptly named Sneaky 2FA. This kit targets Microsoft 365 accounts, aiming to steal credentials and two-factor authentication (2FA) codes. First detected in the wild by French cybersecurity firm Sekoia in December 2024, Sneaky 2FA has demonstrated its effectiveness and growing adoption among cybercriminals.
The Mechanics of Sneaky 2FA
The Sneaky 2FA phishing kit, marketed as a phishing-as-a-service (PhaaS) offering, is sold by the cybercrime group “Sneaky Log” via a dedicated bot on Telegram. Subscribers gain access to an obfuscated version of the source code, enabling them to deploy the kit independently. Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified, indicating moderate adoption among threat actors.
The phishing campaigns typically lure victims with fake payment receipt emails containing QR codes. Scanning these codes redirects users to counterfeit Microsoft authentication pages designed to harvest credentials and bypass 2FA protections.
Techniques and Tactics
Sneaky 2FA employs advanced techniques to enhance its efficacy and evade detection:
Infrastructure Hosting: The phishing pages are hosted on compromised WordPress sites and other attacker-controlled domains. These pages often autofill the victim’s email address, adding a layer of legitimacy.
Anti-Analysis Features: The kit uses traffic filtering, Cloudflare Turnstile challenges, and other measures to block bots and analysis tools. This ensures that only legitimate victims reach the credential harvesting pages.
Redirection Mechanism: Visitors identified as bots, proxies, or users from data centers are redirected to Microsoft-related Wikipedia pages via the href[.]li service, a behavior that earned the phishing kit the alias “WikiKit.”
Connections to Previous Threats
Further analysis has linked Sneaky 2FA to the W3LL Store, a phishing syndicate previously exposed in 2023. The W3LL Store was responsible for creating the W3LL Panel, a phishing kit targeting business email compromise (BEC). Similarities in their AitM relay implementation suggest that Sneaky 2FA may share elements with the W3LL Panel, though it operates independently.
Interestingly, some Sneaky 2FA domains were previously associated with other AitM phishing kits, such as Evilginx2 and Greatness. This overlap implies that some cybercriminals are transitioning to Sneaky 2FA for its enhanced features and effectiveness.
Licensing and Pricing
Sneaky 2FA is sold under a subscription model, priced at $200 per month. Customers must maintain a valid license key, as the phishing kit’s central server checks for active subscriptions. This licensing model mirrors the approach used by W3LL Panel and underscores the professionalization of cybercrime services.
Detection Challenges
One of the unique aspects of Sneaky 2FA is its use of hardcoded User-Agent strings during the authentication process. These strings change depending on the step of the authentication flow, a behavior atypical of legitimate user interactions. This anomaly offers a potential avenue for high-fidelity detection, as it deviates from standard authentication scenarios.
Conclusion
The emergence of Sneaky 2FA highlights the ongoing evolution and sophistication of phishing threats. By targeting Microsoft 365 accounts and leveraging advanced evasion techniques, this PhaaS offering poses a significant risk to organizations and individuals alike. Cybersecurity professionals must remain vigilant, implementing robust detection mechanisms and educating users to recognize and avoid such threats. As the threat landscape continues to expand, collaborative efforts between researchers and security teams are crucial to mitigating the impact of phishing campaigns like Sneaky 2FA.
0 Comments