Sneaky 2FA The Rise of AiTM Phishing-as-a-Service Attacks

Summary

In December 2024, researchers identified a new Adversary-in-the-Middle (AiTM) phishing kit named Sneaky 2FA, targeting Microsoft 365 accounts. This kit, active since at least October 2024, is offered as a Phishing-as-a-Service (PhaaS) by the cybercrime operation "Sneaky Log" via a Telegram bot. Sneaky 2FA’s phishing campaigns employ obfuscated HTML and JavaScript, anti-bot mechanisms, and traffic filtering techniques to evade detection.

The kit includes source code adapted from the W3LL OV6 phishing kit and uses sophisticated methods such as email prefill, anti-debugging, and blurred background images to deceive victims. It integrates directly with the Microsoft 365 API to execute authentication steps, enabling attackers to harvest credentials and bypass two-factor authentication (2FA).

The Sneaky Log operation automates the sale and support of its phishing tools, including the Sneaky 2FA kit, through a Telegram bot, offering flexible subscription plans and cryptocurrency payment options. The operation uses fresh blockchain addresses for Bitcoin and Litecoin payments and relies on established addresses for Ethereum and Tether, potentially leveraging cryptocurrency laundering services. The phishing kit’s pricing is competitive with similar services, and its automation, obfuscation techniques, and operational sophistication highlight the growing complexity of cybercrime ecosystems. Researchers predict that evolving privacy policies may push such operations to alternative platforms in the future.

Technical Detail

In December 2024, Sekoia.io identified a new Adversary-in-the-Middle (AiTM) phishing kit named Sneaky 2FA, targeting Microsoft 365 accounts. Active since at least October 2024, this kit operates as Phishing-as-a-Service (PhaaS) through a Telegram bot called Sneaky Log. Customers purchase obfuscated source code to deploy phishing campaigns, typically hosted on compromised infrastructure like WordPress sites.

Capabilities of Sneaky 2FA

1. URL Patterns and Autograb: Phishing URLs include victims' email addresses as parameters, either in plaintext or Base64-encoded, which auto-populates the email field on fake Microsoft login pages.

2. Anti-Bot Features: It employs Cloudflare Turnstile to verify human interaction and incorporates anti-debugging and obfuscation techniques, including junk data, encoded HTML, and embedded images.

3. Traffic Filtering: Visitors from non-targeted IPs (e.g., bots, VPNs) are redirected to benign Wikipedia pages to evade detection.

4. Fake Authentication Pages: Victims interact with convincingly replicated Microsoft login pages. Blurred Microsoft-themed backgrounds enhance credibility

Attack Workflow

The phishing process starts with a Cloudflare Turnstile challenge. Once passed, victims are redirected to fake Microsoft authentication pages. User credentials, including two-factor authentication (2FA) methods (e.g., SMS or authenticator apps), are captured and relayed to the phishing server. The server mimics legitimate communication with Microsoft APIs to finalize authentication and redirect victims to genuine Microsoft URLs, masking the compromise.

Technical Analysis

● Server-Side Communications: Unlike other kits that proxy traffic, Sneaky 2FA directly interacts with Microsoft APIs. It uses inconsistent User-Agent values to avoid detection, enabling the identification of malicious requests.

● Code Origins: The kit borrows components from the W3LL OV6 phishing kit, particularly for Microsoft authentication relay functionality, and reuses W3LL’s blurred Microsoft-themed images.

● Obfuscation and Evasion: Techniques include JavaScript and HTML obfuscation, antidebugging methods, and traffic redirection. These features hinder security analysis and increase the kit's effectiveness.

Operations and Monetization

The Sneaky Log Telegram bot automates sales, licensing, and support. The kit is sold at $200/month, with discounts for longer subscriptions. Payments are handled through cryptocurrencies, using mechanisms that complicate tracking, such as fresh wallet addresses and possible laundering services. Sneaky Log’s bot also manages ticketed support, mirroring professional software operations.

This campaign highlights the increasing sophistication of PhaaS platforms, combining technical precision with streamlined operations to enable widespread phishing at scale

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

1. Implement robust email filtering solutions to detect and block phishing attempts. Provide adequate training to employees to recognize phishing and report suspicious links.

2. Opt for phishing-resistant MFA methods, such as FIDO2 or hardware security keys, to minimize the risk of session cookie theft and AiTM attacks.

3. Regularly monitor user account activities for unusual patterns, such as multiple failed login attempts or logins from unfamiliar locations. Establish an incident response plan to quickly contain and mitigate breaches.

Conclusion

Sneaky 2FA, an Adversary-in-The-Middle (AiTM) phishing kit targeting Microsoft 365 accounts, was identified in December 2024. Distributed via a Phishing-as-a-Service model through Telegram, it enables attackers to bypass MFA by harvesting session cookies. With moderate adoption, it has been used in campaigns hosted on around 100 domains. The evolving cybercriminal ecosystem behind AiTM phishing and Business Email Compromise (BEC) attacks highlights the demand for cost-effective and efficient phishing services.