By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Viral Trending contentViral Trending content
  • Home
  • World News
  • Politics
  • Sports
  • Celebrity
  • Business
  • Crypto
  • Gaming News
  • Tech News
  • Travel
Reading: New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass
Notification Show More
Viral Trending contentViral Trending content
  • Home
  • Categories
    • World News
    • Politics
    • Sports
    • Celebrity
    • Business
    • Crypto
    • Tech News
    • Gaming News
    • Travel
  • Bookmarks
© 2024 All Rights reserved | Powered by Viraltrendingcontent
Viral Trending content > Blog > Tech News > New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass
Tech News

New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass

By Viral Trending Content 6 Min Read
Share
SHARE

Jan 17, 2025Ravie LakshmananCybersecurity / Threat Intelligence

Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that’s capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024.

The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified as of this month, suggesting moderate adoption by threat actors.

“This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service ‘Sneaky Log,’ which operates through a fully-featured bot on Telegram,” the company said in an analysis. “Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently.”

Phishing campaigns have been observed sending payment receipt-related emails to entice recipients into opening bogus PDF documents containing QR code that, upon scanning, redirects them to Sneaky 2FA pages.

Cybersecurity

Sekoia said the phishing pages are hosted on compromised infrastructure, mostly involving WordPress websites and other domains controlled by the attacker. The fake authentication pages are designed to automatically populate the victim’s email address to elevate their legitimacy.

The kit also boasts of several anti-bot and anti-analysis measures, employing techniques like traffic filtering and Cloudflare Turnstile challenges to ensure that only victims who meet certain criteria are directed to the credential harvesting pages. It further runs a series of checks to detect and resist analysis attempts using web browser developer tools.

A notable aspect of the PhaaS is that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia page using the href[.]li redirection service. This behavior has led TRAC Labs to give it the name WikiKit.

“The Sneaky 2FA phishing kit employs several blurred images as the background for its fake Microsoft authentication pages,” Sekoia explained. “By using screenshots of legitimate Microsoft interfaces, this tactic is intended to deceive users into authenticating themselves to gain access to the blurred content.”

Further investigation has revealed that the phishing kit relies on a check with a central server, likely the operator, that makes sure that the subscription is active. This indicates that only customers with a valid license key can use Sneaky 2FA to conduct phishing campaigns. The kit is advertised for $200 per month.

That’s not all. Source code references have also been unearthed pointing to a phishing syndicate named W3LL Store, which was previously exposed by Group-IB in September 2023 as behind a phishing kit called W3LL Panel and various tools for conducting business email compromise (BEC) attacks.

This, along with similarities in the AitM relay implementation, has also raised the possibility that Sneaky 2FA may be based on the W3LL Panel. The latter also operates under a similar licensing model that requires periodic checks with a central server.

Cybersecurity

Sekoia researcher Grégoire Clermont told The Hacker News that despite these overlaps, Sneaky 2FA cannot be considered a successor to W3LL Panel, as the threat actors behind the latter are still actively developing and selling their own phishing kit.

“Sneaky 2FA is a new kit that reused a few bits of code from W3LL OV6,” Clermont said. “That source code is not very difficult to obtain as customers of the service receive an archive of obfuscated code to host on their own servers. Several desobfuscated/cracked versions of W3LL have been circulated in the past years.”

In an interesting twist, some of the Sneaky 2FA domains were previously associated with known AitM phishing kits, such as Evilginx2 and Greatness – an indication that at least a few cyber criminals have migrated to the new service.

“The phishing kit uses different hardcoded User-Agent strings for the HTTP requests depending on the step of the authentication flow,” Sekoia researchers said. “This behavior is rare in legitimate user authentication, as a user would have to perform successive steps of the authentication from different web browsers.”

“While User-Agent transitions occasionally happen in legitimate situations (e.g., authentication initiated in desktop applications that launch a web browser or WebView to handle MFA), the specific sequence of User-Agents used by Sneaky 2FA does not correspond to a realistic scenario, and offers a high-fidelity detection of the kit.”

(The story was updated after publication to include additional responses from Sekoia.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

You Might Also Like

The Truth About the Meta Display Glasses

USB-C Chargers: How to Choose the Best One

Secure AI at Scale and Speed — Learn the Framework in this Free Webinar

SEAI publishes Mid-Year Review on Energy and Emission Data for 2025

How Hacked Card Shufflers Allegedly Enabled a Mob-Fueled Poker Scam That Rocked the NBA

TAGGED: CloudFlare, Cyber Security, Cybersecurity, Internet, Microsoft 365, phishing, Telegram, Threat Intelligence, two-factor authentication, WordPress
Share This Article
Facebook Twitter Copy Link
Previous Article ESET Research discovers UEFI Secure Boot bypass vulnerability
Next Article Middle East latest: Gaza ceasefire sets in motion release of 3 Israeli hostages
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

- Advertisement -
Ad image

Latest News

Terry Rozier Net Worth: How Much Money He Has Amid NBA Scandal
Celebrity
Kirby Air Riders Won’t Receive DLC: “Everything is Here,” Says Director
Gaming News
Eternal stock dip seen as long-term buying opportunity: Sudip Bandyopadhyay
Business
Bitcoin climbs to $111K as a pardon for Binance’s ‘CZ’ fuels a broad crypto rally
Crypto
WazirX Reopens: Check The Date For When Crypto Withdrawals, Trading Start
Crypto
The Truth About the Meta Display Glasses
Tech News
Hamilton's 'cut-throat' advice for Piastri, Norris in Verstappen title fight
Sports

About Us

Welcome to Viraltrendingcontent, your go-to source for the latest updates on world news, politics, sports, celebrity, tech, travel, gaming, crypto news, and business news. We are dedicated to providing you with accurate, timely, and engaging content from around the globe.

Quick Links

  • Home
  • World News
  • Politics
  • Celebrity
  • Business
  • Home
  • World News
  • Politics
  • Sports
  • Celebrity
  • Business
  • Crypto
  • Gaming News
  • Tech News
  • Travel
  • Sports
  • Crypto
  • Tech News
  • Gaming News
  • Travel

Trending News

cageside seats

Unlocking the Ultimate WWE Experience: Cageside Seats News 2024

Terry Rozier Net Worth: How Much Money He Has Amid NBA Scandal

Investing £5 a day could help me build a second income of £329 a month!

cageside seats
Unlocking the Ultimate WWE Experience: Cageside Seats News 2024
May 22, 2024
Terry Rozier Net Worth: How Much Money He Has Amid NBA Scandal
October 24, 2025
Investing £5 a day could help me build a second income of £329 a month!
March 27, 2024
Brussels unveils plans for a European Degree but struggles to explain why
March 27, 2024
© 2024 All Rights reserved | Powered by Vraltrendingcontent
  • About Us
  • Contact US
  • Disclaimer
  • Privacy Policy
  • Terms of Service
Welcome Back!

Sign in to your account

Lost your password?