Mamba 2FA: A new contender in the AiTM phishing ecosystem

Oct. 8, 2024, 8:34 a.m.

Tags
phishing
aitm
phaas
microsoft 365
evasion techniques
2024-10-07
socket.io
multi-factor authentication
mamba 2fa
External References
Description

Mamba 2FA is a newly discovered adversary-in-the-middle (AiTM) phishing kit being sold as phishing-as-a-service (PhaaS). It features capabilities similar to other popular AiTM phishing services, including handling two-step verifications for non-phishing-resistant MFA methods, supporting various authentication systems, and dynamically reflecting organization branding. The kit uses a two-layer infrastructure consisting of link domains and relay servers, leveraging the Socket.IO protocol for communication. Mamba 2FA has been active since at least November 2023 and is commercialized through Telegram. The phishing pages mimic Microsoft 365 services and use sophisticated techniques to evade detection, including HTML attachments with obfuscated content.

Date

Published: Oct. 7, 2024, 8:04 p.m.

Created: Oct. 7, 2024, 8:04 p.m.

Modified: Oct. 8, 2024, 8:34 a.m.

Attack Patterns

Mamba 2FA

T1528

T1539

T1550.001

T1204.001

T1557

T1566

T1078