Sneaky 2FA: Researchers Uncovered A New Credential Theft Scheme.
Microsoft 365 Has Found Itself In The Crosshairs Of A New Hacking Tool.
Cybersecurity researchers have uncovered a new Adversary-in-the-Middle (AitM) phishing tool that targets Microsoft 365 accounts and is capable of stealing credentials and two-factor authentication (2FA) codes. This tool, called Sneaky 2FA, has been actively used since October 2024.
The French company Sekoia first detected activity of this phishing kit in December and identified about 100 domains associated with its use. The average level of distribution indicates that the tool is in demand among cybercriminals.
Sneaky 2FA is distributed as a service using the Phishing as a Service (PhaaS) model through the Sneaky Log service running on Telegram. Buyers receive an obfuscated version of the source code with a license, which allows them to independently deploy the tool for phishing attacks.
One attack scheme involves sending emails containing false payment receipts. Recipients are asked to open PDF attachments containing QR codes that, when scanned, redirect to fake authentication pages.
Sekoia reports that such pages are hosted on compromised servers, often powered by WordPress or other managed domains. To increase credibility, the fake pages automatically populate the victim's email address. The tool is also protected from sniffers and bots using techniques such as traffic filtering and Cloudflare Turnstile checking.
An interesting detail is that visitors with suspicious IP addresses (for example, from cloud data centers or via VPN) are redirected to a Wikipedia page associated with Microsoft. This approach is called WikiKit by TRAC Labs researchers.
To deceive users, the tool uses blurry graphics, copying Microsoft interfaces, which creates the illusion of authenticity. License checks on the server confirm that the kit is only available to customers with an active key, which costs $200 per month.
It was also discovered that Sneaky 2FA may be associated with the well-known W3LL Panel phishing kit previously disclosed by Group-IB. A similar licensing model and data transfer features indicate that these tools are related.
Additionally, it was revealed that several Sneaky 2FA domains were previously used with other known phishing kits, such as Evilginx2 and Greatness. This confirms the transition of some cybercriminals to a new service.
Sekoia also flags unusual transitions between User-Agent strings during the authentication process, which helps detect Sneaky 2FA usage. This rare pattern distinguishes the tool from legitimate interactions, allowing analysts to identify hacker attacks.