Sneaky 2FA: Exposing the New AiTM Phishing-as-a-Service Threat

Phishing attacks have long been a menace to individuals and organizations worldwide, but the cybercriminals behind them are evolving. A new adversary has emerged in the digital threat landscape: the “Sneaky 2FA” phishing kit, a sophisticated Adversary-in-the-Middle (AiTM) Phishing-as-a-Service (PhaaS) operation. This kit targets Microsoft 365 accounts by bypassing two-factor authentication (2FA) measures, exploiting human vulnerabilities, and leveraging advanced obfuscation techniques. Uncovered in December 2024 by cybersecurity researchers, Sneaky 2FA represents a significant escalation in the phishing domain, with global implications for businesses and individuals alike.

This article delves into the inner workings of the Sneaky 2FA phishing kit, its infrastructure, and its implications. We’ll also provide actionable advice to safeguard against this emerging threat.

Anatomy of the Sneaky 2FA Phishing Kit

1. Background and Discovery

The Sneaky 2FA phishing kit first surfaced in October 2024, with its existence confirmed during threat-hunting operations conducted by the Sekoia.io Threat Detection & Research (TDR) team. The kit is marketed by a cybercrime group known as “Sneaky Log,” which operates through a fully featured bot on Telegram. Subscribers to this illicit service receive access to an obfuscated version of the source code, allowing them to deploy phishing campaigns independently.

2. Technical Features

• URL Manipulation and Autofill: Sneaky 2FA embeds victim email addresses into phishing URLs. These are either in plain text or encoded in base64. For example:
  • hxxps://example.com/wp-content/plugins/well/auth/#victim@example.com
• Fake Authentication Pages: The kit creates highly convincing Microsoft 365 login pages, complete with blurred background images of legitimate interfaces.
• Obfuscation Techniques: HTML and JavaScript code within the kit is heavily obfuscated, using junk data, base64-encoded images, and techniques that mimic legitimate Microsoft pages to evade detection.

3. Anti-Analysis and Anti-Bot Measures

To deter security analysts and automated detection tools, Sneaky 2FA employs the following tactics:

• Cloudflare Turnstile Integration: Phishing pages are shielded by CAPTCHAs, ensuring that only human visitors can proceed.
• Traffic Filtering: The kit filters out traffic from IPs linked to data centers, proxies, or VPNs, redirecting suspected non-human visitors to benign Wikipedia pages.
• Anti-Debugging Techniques: Browser developer tools are thwarted using JavaScript-based anti-debugger methods.

Infrastructure and Operations

1. Hosting and Distribution

Most Sneaky 2FA phishing pages are hosted on compromised WordPress sites or attacker-controlled domains. Examples include:

• hxxps://kagumigroup[.]id/wp-content/plugins/well/auth/verify
• hxxps://highnationservices[.]com/n/index

2. Licensing and Monetization

The Sneaky Log group’s Telegram bot facilitates the sale of this PhaaS operation. Customers pay for a licensed version of the phishing kit, granting them the ability to customize campaigns and evade detection with minimal technical effort.

3. Overlap with W3LL Panel OV6

The kit’s source code shares similarities with the W3LL Panel OV6, an AiTM phishing kit reported in September 2023. This lineage demonstrates how cybercriminals adapt and repurpose previous tools to create more effective threats.

Ten Ways to Avoid Falling Victim to Sneaky 2FA

1. Educate Employees: Regularly train staff to recognize phishing attempts, emphasizing the risks of clicking on suspicious links.
2. Implement Robust Email Security: Use advanced email filters to detect and block phishing emails before they reach inboxes.
3. Monitor URLs Carefully: Encourage users to scrutinize website URLs, ensuring they match official domains and do not contain unusual parameters.
4. Enable Advanced Authentication: Adopt phishing-resistant MFA methods, such as hardware security keys or biometrics, rather than SMS-based 2FA.
5. Update Software and Plugins: Regularly patch WordPress sites and other web assets to prevent them from being hijacked for phishing campaigns.
6. Deploy Anti-Phishing Solutions: Invest in tools that use machine learning to detect and neutralize phishing pages in real-time.
7. Utilize Network Monitoring: Monitor traffic for suspicious activity, such as unexpected redirects to external pages.
8. Verify Suspicious Communications: Encourage users to contact IT teams or verify communications through secondary channels before taking action.
9. Restrict Access to External Domains: Use firewall rules to block access to known malicious domains and regions associated with phishing campaigns.
10. Foster a Cybersecurity Culture: Cultivate a security-first mindset across the organization to ensure vigilance against evolving threats.

Conclusion

The emergence of Sneaky 2FA underscores the adaptability of cybercriminals in circumventing even the most robust security measures. By offering phishing-as-a-service, groups like Sneaky Log lower the barrier to entry for launching sophisticated attacks, endangering businesses and individuals globally. To counter this growing threat, organizations must remain proactive, investing in security awareness, advanced technology, and robust policies.