216.73.216.133

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

· Published 17/01/2025 17:01 · Modified 17/01/2025 17:54

Export JSON

Essential information

Published
17/01/2025 17:01
Modified
17/01/2025 17:54
Tags
2025-01-17 aitm cryptocurrency obfuscation phishing telegram
Related entities
26 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware

Description

A new Adversary-in-the-Middle () kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as -as-a-Service by a cybercrime service called Sneaky Log, which operates via a bot. Sneaky 2FA uses anti-bot and anti-analysis features, authenticates with Microsoft APIs, and employs various techniques. The pages are typically hosted on compromised WordPress sites or attacker-controlled domains. The kit appears to be based on the W3LL OV6 kit codebase. Sneaky Log's operations include selling tools like the kit, an email sender, and redirect/attachment services. The service uses multiple cryptocurrencies for payments and may employ transaction mechanisms.

External references