A new and sophisticated attack is targeting Microsoft 365 accounts, bypassing two-factor authentication (2FA) and stealing user credentials. This attack, which uses a phishing-as-a-service kit called Sneaky 2FA, is being sold to cybercriminals and has been circulating since October 2024. It is yet another phishing kit that targets Microsoft services. Previous ones include AuthQuake, which uses brute force to crack Microsoft second factor codes, and Rockstar 2FA, which uses adversary-in-the-middle techniques similar to Sneaky 2FA.

This kit is not only dangerous, but its increasing availability means organizations need to be aware of this threat and take proactive steps to protect their systems. This kit has seen moderate adoption, with around one hundred domain names hosting Sneaky 2FA phishing pages.

Learn more about the techniques used by Sneaky 2FA and strategies to defend your organization against it. 

What is Sneaky 2FA?

Sneaky 2FA is a phishing-as-a-service (PhaaS) kit sold by a cybercrime group known as Sneaky Log. It is sold through a bot on Telegram, and customers receive a licensed, obfuscated version of the source code. The kit costs around $200 per month, with discounts for longer subscriptions. The phishing pages are often hosted on compromised infrastructure, such as WordPress websites. 

Key capabilities of the kit include:

• Pre-populated login forms: The kit uses convincing, pre-populated login forms using autograb functionality. The links in the phishing emails pass the victim's email address to the login page, enabling it to autofill the email field
• Session cookie harvesting: Sneaky 2FA harvests Microsoft 365 session cookies to bypass the 2FA process during subsequent attacks
• Blurred login backgrounds: Threat actors blur screenshots of Microsoft webpages to create convincing login backgrounds so it looks to the end user as if the content will unblur after authentication. 
• Bot detection evasion: The kit distinguishes between humans and bots. Bots are either shown harmless content or redirected to a legitimate website like Wikipedia. Like the Rockstar 2FA phishing kit, Sneaky 2FA uses a Cloudflare Turnstile page, to filter out bots so only legitimate users reach their phishing page. 
• Anti-debugging techniques: The kit defends against security analysis using browser-based developer tools with techniques like HTML and JavaScript code obfuscation and IP address filtering. 

How to Defend Against Sneaky 2FA

Defending against Sneaky 2FA must go beyond password hygiene, user training, and any mitigation method that relies on users doing the right thing. This is because, while users may have the best of intentions, we are not capable to deciphering legitimate versus malicious login pages or URLs. According to a sobering statistic from KnowB4, 4.69% of end-users will continue to click malicious links even after training. 

Just one successful 2FA bypass can lead to a breach. 

Here’s how you can deploy a complete defense against Sneaky 2FA and other 2FA bypass kits:

1. Eliminate phishable factors: Phishable factors include passwords, one-time passcodes (OTP), and push notifications. These factors are easily stolen and users can be easily tricked to provide them on malicious sites. By removing them from the authentication flow all together, the user cannot be phished because attackers can’t steal what doesn’t exist. 
2. Implement phishing-resistant MFA: Implementing phishing-resistant MFA with asymmetric cryptography is a critical mitigation strategy against attacks like Sneaky 2FA. By using cryptographic keys tied to a user’s device, organizations can ensure that only legitimate users on a trusted device can access data and resources.
3. Use device-bound credentials: A key characteristic of Sneaky 2FA attacks is impossible device shift. Similar to impossible travel, impossible device shift indicates when a user’s authentication attempt jumps from one device to another (e.g. from Safari on iOS to Edge on Windows). Unlike phishable factors, device-bound credentials tie authentication to a specific device. 
4. Enforce verifier impersonation resistance: Recognizing that users will always click on malicious links, it’s important to implement solutions that do not rely on human perception to validate the legitimacy of access requests. The way to implement this is by programmatically verifying the origin of access requests and ensuring that they come from an authorized and legitimate service. 

If you’re interested in talking to a security expert about this phishing kit or its mitigation strategies, please contact us.

‍