A new phishing kit, ominously named “Sneaky 2FA,” has emerged, targeting Microsoft 365 users by bypassing two-factor authentication (2FA) protections. This advanced threat leverages an Adversary-in-the-Middle (AiTM) technique to intercept login credentials and 2FA codes, enabling attackers to gain unauthorized access to accounts.
Operated as a Phishing-as-a-Service (PhaaS) under the alias “Sneaky Log,” the kit enables attackers to launch sophisticated phishing campaigns. Its real-time interception of session cookies allows attackers to gain immediate access to user accounts after 2FA credentials are entered. It uses URLs prefilled with victims’ email addresses to enhance credibility, directing users to fake Microsoft login pages that mirror the real interface. Once credentials and 2FA codes are entered, the attackers use them in real-time to access legitimate accounts before the codes expire.
The sophistication of Sneaky 2FA lies in its use of advanced tools like Cloudflare Turnstile, which differentiates between bots and human users, complicating detection and analysis. Additionally, it intercepts session cookies in real time, enabling seamless access to accounts as though the attackers themselves had authenticated directly. The phishing pages are often hosted on compromised WordPress sites, adding another layer of complexity. Researchers also found code links to W3LL Panel OV6, a known AiTM phishing tool, further demonstrating its advanced capabilities.
Since its discovery in October 2024, Sneaky 2FA has highlighted the limitations of traditional 2FA. While 2FA is an essential security measure, this attack shows how cybercriminals can exploit its real-time nature. For a detailed analysis and recommended mitigation strategies, refer to the original report: Sneaky 2FA – SEKOIA.IO.
For users, vigilance is key. Obviously, avoiding clicking on suspicious links in unsolicited emails, verifying the authenticity of login requests, and enable additional security measures where available should be encouraged. But as cybercriminals continue to evolve their tactics, Sneaky 2FA serves as a stark reminder that even the most trusted security measures must adapt to the changing threat landscape.