Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

Jan. 17, 2025, 5:54 p.m.

Description

A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authenticates with Microsoft APIs, and employs various obfuscation techniques. The phishing pages are typically hosted on compromised WordPress sites or attacker-controlled domains. The kit appears to be based on the W3LL OV6 phishing kit codebase. Sneaky Log's operations include selling tools like the AiTM phishing kit, an email sender, and redirect/attachment services. The service uses multiple cryptocurrencies for payments and may employ transaction obfuscation mechanisms.

External References

https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/
https://otx.alienvault.com/pulse/678a8ce9b82a67a056a959df
Tags
obfuscation
phishing
aitm
cryptocurrency
telegram
2025-01-17

Date

  • Created: Jan. 17, 2025, 5:01 p.m.
  • Published: Jan. 17, 2025, 5:01 p.m.
  • Modified: Jan. 17, 2025, 5:54 p.m.

Indicators

  • 185.125.100.81
  • 101.99.92.124
  • tesla-apply-job.com
  • sneakylog.store
  • lovencareurology.in
  • intertrustsgroup.com
  • hsrcxeeae.mypi.co
  • guardiansresearch.org
  • greyscaleal.com
  • docsafybeifur2mabbggrihscauthenticnotes.online
  • glamorouslengths.su
  • florenceorganics.us
  • files42.com
  • emea-nec.com
  • drop-project.top
  • dolh6growth.online
  • docuinshare.top
  • desirenetwork.in
  • claytoncontsruction.net
  • bhlergroup.com
  • baptihealth.com
  • apppowerappsportals.top
  • allorginichomes.xyz
  • allorganicitems.com
  • alliedhealthcaresolution.com
  • africanagrirnarket.com
Download all indicators here!

Attack Patterns

  • Sneaky 2FA
  • Sneaky Log