Sneaky 2FA: The New Phishing-as-a-Service Threat Targeting Microsoft 365 Accounts

2025-01-17

In the ever-evolving landscape of cyber threats, a new adversary-in-the-middle (AitM) phishing kit has emerged, posing a significant risk to Microsoft 365 users. Dubbed Sneaky 2FA by French cybersecurity firm Sekoia, this sophisticated tool is designed to steal credentials and bypass two-factor authentication (2FA) protections. First detected in December 2023, Sneaky 2FA has already been linked to nearly 100 domains hosting phishing pages, signaling its growing adoption among cybercriminals.

This phishing kit is marketed as a Phishing-as-a-Service (PhaaS) offering by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Customers gain access to an obfuscated version of the source code, allowing them to deploy phishing campaigns independently. The kit employs advanced techniques to evade detection, including traffic filtering, Cloudflare Turnstile challenges, and anti-analysis measures.

Sneaky 2FA phishing campaigns often lure victims with fake payment receipt emails containing QR codes. When scanned, these codes redirect users to malicious pages designed to mimic Microsoft authentication interfaces. The kit even pre-populates the victim’s email address to enhance credibility.

What sets Sneaky 2FA apart is its ability to filter out non-target traffic, such as bots or users accessing the site via VPNs or data centers. These users are redirected to a Microsoft-related Wikipedia page, earning the kit the nickname WikiKit. Additionally, the phishing pages use blurred images of legitimate Microsoft interfaces to trick users into entering their credentials.

The kit’s subscription-based model, priced at $200 per month, ensures only licensed users can deploy it. Researchers have also uncovered ties between Sneaky 2FA and the notorious W3LL Store phishing syndicate, suggesting a possible evolution of previous phishing tools like W3LL Panel.

As cybercriminals continue to refine their tactics, Sneaky 2FA represents a significant escalation in the phishing threat landscape. Its ability to bypass 2FA and mimic legitimate authentication processes makes it a formidable tool for credential theft.

What Undercode Say:

The emergence of Sneaky 2FA underscores the growing sophistication of phishing-as-a-service offerings. Unlike traditional phishing kits, which often rely on rudimentary tactics, Sneaky 2FA incorporates advanced features like traffic filtering, anti-bot measures, and dynamic redirection. These capabilities not only enhance its effectiveness but also make it harder for security tools to detect and mitigate.

One of the most concerning aspects of Sneaky 2FA is its ability to bypass two-factor authentication (2FA), a security measure widely regarded as a strong defense against credential theft. By mimicking legitimate Microsoft authentication pages and pre-populating user email addresses, the kit creates a false sense of security, tricking even vigilant users into divulging sensitive information.

The kit’s subscription-based model is another red flag. By offering a licensed, obfuscated version of the source code, Sneaky Log has lowered the barrier to entry for aspiring cybercriminals. This democratization of phishing tools could lead to a surge in phishing campaigns, as even less technically skilled threat actors can now deploy sophisticated attacks.

The connection to W3LL Store, a known phishing syndicate, further highlights the interconnected nature of the cybercrime ecosystem. The similarities between Sneaky 2FA and W3LL Panel suggest that cybercriminals are building on existing tools, refining them to evade detection and maximize impact. This trend of iterative development poses a significant challenge for cybersecurity professionals, who must constantly adapt to stay ahead of evolving threats.

From a defensive standpoint, the unique User-Agent transitions employed by Sneaky 2FA offer a potential detection opportunity. While these transitions are rare in legitimate authentication flows, they could serve as a telltale sign of malicious activity. Security teams should consider incorporating User-Agent analysis into their threat detection frameworks to identify and block such attacks.

Ultimately, the rise of Sneaky 2FA serves as a stark reminder of the importance of user education and multi-layered security strategies. While technical defenses like 2FA are critical, they are not foolproof. Organizations must also invest in training employees to recognize phishing attempts and adopt a proactive approach to threat intelligence.

As phishing kits continue to evolve, the cybersecurity community must remain vigilant, leveraging both technological solutions and human expertise to combat these ever-changing threats. Sneaky 2FA is just the latest example of how cybercriminals are pushing the boundaries of innovation—and why we must do the same to stay one step ahead.