By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Viral Trending contentViral Trending content
  • Home
  • World News
  • Politics
  • Sports
  • Celebrity
  • Business
  • Crypto
  • Gaming News
  • Tech News
  • Travel
Reading: New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass
Notification Show More
Viral Trending contentViral Trending content
  • Home
  • Categories
    • World News
    • Politics
    • Sports
    • Celebrity
    • Business
    • Crypto
    • Tech News
    • Gaming News
    • Travel
  • Bookmarks
© 2024 All Rights reserved | Powered by Viraltrendingcontent
Viral Trending content > Blog > Tech News > New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass
Tech News

New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass

By Viral Trending Content 6 Min Read
Share
SHARE

Jan 17, 2025Ravie LakshmananCybersecurity / Threat Intelligence

Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that’s capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024.

The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified as of this month, suggesting moderate adoption by threat actors.

“This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service ‘Sneaky Log,’ which operates through a fully-featured bot on Telegram,” the company said in an analysis. “Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently.”

Phishing campaigns have been observed sending payment receipt-related emails to entice recipients into opening bogus PDF documents containing QR code that, upon scanning, redirects them to Sneaky 2FA pages.

Cybersecurity

Sekoia said the phishing pages are hosted on compromised infrastructure, mostly involving WordPress websites and other domains controlled by the attacker. The fake authentication pages are designed to automatically populate the victim’s email address to elevate their legitimacy.

The kit also boasts of several anti-bot and anti-analysis measures, employing techniques like traffic filtering and Cloudflare Turnstile challenges to ensure that only victims who meet certain criteria are directed to the credential harvesting pages. It further runs a series of checks to detect and resist analysis attempts using web browser developer tools.

A notable aspect of the PhaaS is that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia page using the href[.]li redirection service. This behavior has led TRAC Labs to give it the name WikiKit.

“The Sneaky 2FA phishing kit employs several blurred images as the background for its fake Microsoft authentication pages,” Sekoia explained. “By using screenshots of legitimate Microsoft interfaces, this tactic is intended to deceive users into authenticating themselves to gain access to the blurred content.”

Further investigation has revealed that the phishing kit relies on a check with a central server, likely the operator, that makes sure that the subscription is active. This indicates that only customers with a valid license key can use Sneaky 2FA to conduct phishing campaigns. The kit is advertised for $200 per month.

That’s not all. Source code references have also been unearthed pointing to a phishing syndicate named W3LL Store, which was previously exposed by Group-IB in September 2023 as behind a phishing kit called W3LL Panel and various tools for conducting business email compromise (BEC) attacks.

This, along with similarities in the AitM relay implementation, has also raised the possibility that Sneaky 2FA may be based on the W3LL Panel. The latter also operates under a similar licensing model that requires periodic checks with a central server.

Cybersecurity

Sekoia researcher Grégoire Clermont told The Hacker News that despite these overlaps, Sneaky 2FA cannot be considered a successor to W3LL Panel, as the threat actors behind the latter are still actively developing and selling their own phishing kit.

“Sneaky 2FA is a new kit that reused a few bits of code from W3LL OV6,” Clermont said. “That source code is not very difficult to obtain as customers of the service receive an archive of obfuscated code to host on their own servers. Several desobfuscated/cracked versions of W3LL have been circulated in the past years.”

In an interesting twist, some of the Sneaky 2FA domains were previously associated with known AitM phishing kits, such as Evilginx2 and Greatness – an indication that at least a few cyber criminals have migrated to the new service.

“The phishing kit uses different hardcoded User-Agent strings for the HTTP requests depending on the step of the authentication flow,” Sekoia researchers said. “This behavior is rare in legitimate user authentication, as a user would have to perform successive steps of the authentication from different web browsers.”

“While User-Agent transitions occasionally happen in legitimate situations (e.g., authentication initiated in desktop applications that launch a web browser or WebView to handle MFA), the specific sequence of User-Agents used by Sneaky 2FA does not correspond to a realistic scenario, and offers a high-fidelity detection of the kit.”

(The story was updated after publication to include additional responses from Sekoia.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

You Might Also Like

Android 16 Security Measures: Identity Check and Advanced Protection

White House Staffers Couldn’t Care Less About the East Wing Demolition

CISA warns of Lanscope Endpoint Manager flaw exploited in attacks

North Korean Hackers Lure Defense Engineers With Fake Jobs to Steal Drone Secrets

Geotab survey reveals 90% of Irish van and lorry drivers ready to embrace in-cab AI coaching

TAGGED: CloudFlare, Cyber Security, Cybersecurity, Internet, Microsoft 365, phishing, Telegram, Threat Intelligence, two-factor authentication, WordPress
Share This Article
Facebook Twitter Copy Link
Previous Article ESET Research discovers UEFI Secure Boot bypass vulnerability
Next Article Middle East latest: Gaza ceasefire sets in motion release of 3 Israeli hostages
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

- Advertisement -
Ad image

Latest News

Arsenal star Oleksandr Zinchenko in tears as he's forced off injured for Nottingham Forest
Sports
Is Ripple About To Overtake Ethereum? There Are More XRP Treasury Companies Than You Think
Crypto
Android 16 Security Measures: Identity Check and Advanced Protection
Tech News
Qatar and US warn EU law could threaten energy security as GECF ministers meet
Business
European Parliament rebels against simplified sustainability requirements
World News
United States and European Union Impose Sanctions on Russia
World News
Tariffs have unsettled Colorado’s ag industry; a Trump suggestion adds to uncertainty
Business

About Us

Welcome to Viraltrendingcontent, your go-to source for the latest updates on world news, politics, sports, celebrity, tech, travel, gaming, crypto news, and business news. We are dedicated to providing you with accurate, timely, and engaging content from around the globe.

Quick Links

  • Home
  • World News
  • Politics
  • Celebrity
  • Business
  • Home
  • World News
  • Politics
  • Sports
  • Celebrity
  • Business
  • Crypto
  • Gaming News
  • Tech News
  • Travel
  • Sports
  • Crypto
  • Tech News
  • Gaming News
  • Travel

Trending News

cageside seats

Unlocking the Ultimate WWE Experience: Cageside Seats News 2024

Arsenal star Oleksandr Zinchenko in tears as he's forced off injured for Nottingham Forest

Investing £5 a day could help me build a second income of £329 a month!

cageside seats
Unlocking the Ultimate WWE Experience: Cageside Seats News 2024
May 22, 2024
Arsenal star Oleksandr Zinchenko in tears as he's forced off injured for Nottingham Forest
October 23, 2025
Investing £5 a day could help me build a second income of £329 a month!
March 27, 2024
Brussels unveils plans for a European Degree but struggles to explain why
March 27, 2024
© 2024 All Rights reserved | Powered by Vraltrendingcontent
  • About Us
  • Contact US
  • Disclaimer
  • Privacy Policy
  • Terms of Service
Welcome Back!

Sign in to your account

Lost your password?