Unveiling Sneaky 2FA: A Sophisticated Phishing Kit Targeting Microsoft 365 with Advanced 2FA Bypass
Cybersecurity researchers have uncovered a new adversary-in-the-middle (AitM) phishing kit, named "Sneaky 2FA," designed to compromise Microsoft 365 accounts by stealing credentials and two-factor authentication (2FA) codes.
Cybersecurity researchers have uncovered a new adversary-in-the-middle (AitM) phishing kit, named "Sneaky 2FA," designed to compromise Microsoft 365 accounts by stealing credentials and two-factor authentication (2FA) codes. Active since at least October 2024, this phishing kit was identified in December by the French cybersecurity firm Sekoia, which has detected nearly 100 domains hosting Sneaky 2FA phishing pages, indicating moderate use by threat actors.
The kit, sold as a phishing-as-a-service (PhaaS) by a cybercrime group called "Sneaky Log," is managed via a Telegram bot. Customers receive an obfuscated version of the source code for deployment. Phishing campaigns using this kit typically send fake payment receipt emails containing QR codes in bogus PDF documents. Scanning these codes redirects victims to Sneaky 2FA phishing pages.
The phishing pages, often hosted on compromised WordPress sites and attacker-controlled domains, appear legitimate by pre-filling the victim’s email address. Sneaky 2FA employs advanced anti-analysis and anti-bot features, including traffic filtering and Cloudflare Turnstile challenges, to ensure only valid targets reach the credential-harvesting pages. If a site visitor’s IP is associated with a data center, cloud provider, bot, proxy, or VPN, they are redirected to a Microsoft-related Wikipedia page via the href[.]li service—a behavior earning the kit the nickname "WikiKit."
Sneaky 2FA relies on a subscription model, with operators confirming the validity of license keys through a central server. The service is priced at $200 per month. Researchers discovered connections between Sneaky 2FA and the W3LL Store phishing syndicate, known for its W3LL Panel phishing kit and tools used in business email compromise (BEC) attacks. Despite code similarities, Sneaky 2FA is not a direct successor to W3LL Panel, as the latter remains active and independently developed.
Interestingly, some domains associated with Sneaky 2FA were previously linked to other AitM phishing kits like Evilginx2 and Greatness, suggesting that some cybercriminals have transitioned to this new service.
The phishing kit also uses unusual User-Agent strings during authentication steps, which do not align with typical user behavior. This rare characteristic provides a reliable method for detecting the kit in action.
