Sneaky 2FA, a phishing-as-a-service (PhaaS) platform specifically designed to target Microsoft 365 accounts, has significantly lowered the technical expertise required for effective phishing attacks.
This advanced adversary-in-the-middle (AiTM) phishing kit bypasses two-factor authentication (2FA) and steals credentials by using a Telegram-based platform and clever obfuscation tactics.
Sneaky 2FA has been active since at least October 2024. French cybersecurity firm Sekoia first detected it in December 2024 during routine threat hunting activities. Cybersecurity researchers have identified one hundred domains hosting these phishing sites, indicating widespread adoption of the kit by threat actors.
Sneaky 2FA’s combination with a Telegram bot known as “Sneaky Log” is what makes it so risky. With the help of this bot, fraudsters can easily manage credentials that have been stolen and get bypass two-factor authentication (2FA) codes.
According to an analysis by Sekoia:
This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service ‘Sneaky Log,’ which operates through a fully-featured bot on Telegram. Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently.
Sophisticated Techniques Used in 2FA Bypass Phishing Attacks
Phishing techniques often use emails that appear to be payment receipts to trick recipients into opening fake PDF documents containing QR codes. Upon scanning, these codes direct victims to fraudulent two-factor authentication (2FA) websites.
According to Sekoia, the phishing sites are hosted on compromised infrastructure, primarily WordPress websites and domains controlled by attackers.
Phishing attacks are becoming increasingly sophisticated due to techniques like autograb capability, which adds the victim’s email address to the phishing link and automatically enters it into a fake Microsoft login page. As a result, the page appears more trustworthy.
Attackers use anti-bot and anti-analysis tools, such as Cloudflare Turnstile challenges and traffic filters, to make sure that only legitimate users access at the fake login page to remain undetected.
Attackers also stop anyone from using their browser’s developer tools to investigate the attack. They then use session hijacking to get session cookies once the victim has finished the 2FA process. By doing this, they can get around 2FA and take control of the victim’s account without setting off any alerts.
The href[.]li redirection service is used to send visitors to a Wikipedia article about Microsoft if their IP address is associated with a data centre, cloud provider, bot, proxy, or VPN. Its unusual activity has led TRAC Labs to identify it as WikiKit.
Investigation revealed that the phishing kit relies on a central server to confirm active subscriptions, which is probably run by the creators. In other words, the Sneaky 2FA tool for phishing campaigns can only be used by users who have a registered license key. The kit is advertised as costing $200 a month to subscribe.
In addition, Sekoia clarified:
The Sneaky 2FA phishing kit employs several blurred images as the background for its fake Microsoft authentication pages. By using screenshots of legitimate Microsoft interfaces, this tactic is intended to deceive users into authenticating themselves to gain access to the blurred content.
Source code references have revealed links to the W3LL Store phishing group. Group-IB previously revealed in September 2023 that W3LL Store was the source of the W3LL Panel phishing kit and other business email compromise (BEC) attack tools.
This discovery, combined with similarities in the AiTM (Adversary-in-the-Middle) relay implementation, suggests that Sneaky 2FA may be influenced by W3LL Panel. Notably, W3LL Panel follows a similar licensing scheme, requiring periodic verification with a central server.
However, Sneaky 2FA cannot be considered a successor to W3LL Panel, as the developers of the latter continue to actively create and sell their phishing kits. Additionally, several of the domains associated with Sneaky 2FA were previously related to well-known AitM phishing kits such as Evilginx2 and Greatness. This move suggests that a significant number of cybercriminals have switched to the new service.
Detecting Sneaky 2FA Attacks and Recommendations
Detecting Sneaky 2FA attacks requires careful analysis of authentication logs for anomalies. These phishing kits often use inconsistent User-Agent strings at various authentication steps, resulting in “impossible device shifts” that may indicate suspicious behavior.
Analysing phishing website URLs, including patterns and domain registrations, helps identify Sneaky 2FA-related activity. This growing threat is becoming more prevalent in Microsoft 365 phishing attempts, with its sophisticated functionality and user-friendly phishing-as-a-service (PhaaS) platform.
Businesses must prioritise advanced threat detection systems that track sign-in records, fingerprint attackers, and detect irregularities to mitigate risks. Sharing threat intelligence and improving cybersecurity measures are equally important. Additionally, educating users to verify website authenticity before entering credentials is crucial.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Our comprehensive solutions provide you with all the tools and strategies needed to identify and address vulnerabilities before they can be exploited. Book a demo today to see how it can work for you.
