Researchers have discovered “Sneaky 2FA,” a phishing kit targeting Microsoft 365 accounts to steal credentials and bypass 2FA codes since October 2024.
‘Sneaky 2FA’ Phishing Kit
The “Sneaky 2FA” phishing kit is sold as a phishing-as-a-service (PhaaS) by “Sneaky Log,” operating via a Telegram bot, offering licensed obfuscated code for independent deployment.
Campaigns lure victims with payment receipt emails linking to fake PDFs with QR codes that redirect to phishing pages.
Sekoia reports that Sneaky 2FA phishing pages are hosted on compromised WordPress sites and attacker-controlled domains. These fake login pages auto-fill victims’ email addresses to appear more legitimate.
The kit includes anti-bot measures like traffic filtering, Cloudflare Turnstile challenges, and checks against browser developer tools to evade analysis. Visitors from data centers, proxies, or VPNs are redirected to a Microsoft-related Wikipedia page via href[.]li, earning it the nickname WikiKit.
Additionally, the kit uses blurred Microsoft interface images as backgrounds to trick users into entering their credentials.
Investigations reveal the Sneaky 2FA phishing kit requires a valid subscription, verified through a central server, with licenses priced at $200/month.
References in the source code suggest ties to the W3LL Store phishing group, previously linked to the W3LL Panel phishing kit and tools for business email compromise. Similarities in AitM relay features hint that Sneaky 2FA may be derived from W3LL Panel, which also uses a licensing system with server checks.
Some Sneaky 2FA domains were linked to older AitM phishing kits like Evilginx2 and Greatness, suggesting some cybercriminals are switching to the new service.
Sekoia researchers noted the kit uses unusual hardcoded User-Agent strings for different steps of the authentication process. This behavior, rare in legitimate authentication, creates unrealistic User-Agent transitions, offering a clear detection method for the phishing kit.
IoCs
africanagrirnarket[.]com
alliedhealthcaresolution[.]com
allorganicitems[.]com
allorginichomes[.]xyz
apppowerappsportals[.]top
baptihealth[.]com
bhlergroup[.]com
claytoncontsruction[.]net
desirenetwork[.]in
docuinshare[.]top
dolh6growth[.]online
drop-project[.]top
emailsay[.]com
emea-nec[.]com
erhakalip[.]com
files42[.]com
florenceorganics[.]us
glamorouslengths[.]su
greyscaleal[.]com
guardiansresearch[.]org
hsrcxeeae[.]mypi[.]co
intertrustsgroup[.]com
lovencareurology[.]in
matcocomponent[.]com
may-april[.]com
metin2odisey[.]com
ms-consulting-dom[.]fr
o7t5dgbx-staging[.]dreamwp[.]com
oempcworlds[.]org
ohconnects[.]org
ol[.]advanceplastics-ke[.]com
omnirayoprah[.]cfd
organichoicehome[.]com
outsourcel[.]com[.]au
portalpowerfiles[.]top
portalpowerstorages[.]top
profitminers[.]in
reintergestna[.]org
reliant-rehabs[.]com
rockandrevenue[.]com
rurrasqueamos[.]click
stillmanconsulting[.]net
storageorder[.]sbs
sysarchirnc[.]com
thumenectrics[.]es
tvsyndciate[.]com
urbanumbrella[.]org
usfightingsystems[.]com
webitww[.]com
welcomehomeproject[.]org
windstreaim[.]com
wwgle[.]com
yushengusa[.]com
docsafybeifur2mabbggrihscauthenticnotes[.]online
historischeverenigingmarum[.]online
loginoffice365commonauth00000365user1153196333[.]empreendendocomgrafica[.]com
loginoffice365commonauth00000365user6867620079[.]empreendendocomgrafica[.]com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment