Sneaky 2FA Kit Exposes Vulnerabilities in 2FA Security

Cybersecurity researchers from Sekoia have discovered a new Adversary-in-the-Middle (AiTM) phishing kit named “Sneaky 2FA,” targeting Microsoft 365 accounts.

First discovered in December last year, this phishing kit has been active since at least October 2024 and is distributed as a Phishing-as-a-Service (PhaaS) through a Telegram bot called “Sneaky Log.” Subscribers receive an obfuscated version of the source code, allowing them to deploy the phishing kit independently.

Bypassing 2FA

This scourge has several key features:

• Autograb Functionality: The phishing URLs include the victim’s email address as a parameter, which is then prefilled into the fake Microsoft authentication page to make it seem credible.
• Anti-Bot and Anti-Analysis Measures: It then uses traffic filtering and Cloudflare Turnstile challenges to make sure that only legitimate users are directed to the credential harvesting pages. Moreover, it carries out checks to detect and resist any analysis attempts using web browser developer ...