Your MFA Is No Match for Sneaky2FA

Feb. 28, 2025, 9:58 a.m.

Description

In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks.

External References

https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa
https://otx.alienvault.com/pulse/67c148f5d64d299fa4a97670
Tags
phishing
phaas
2fa bypass
office 365
2025-02-28
session cookies
sneaky2fa

Date

  • Created: Feb. 28, 2025, 5:26 a.m.
  • Published: Feb. 28, 2025, 5:26 a.m.
  • Modified: Feb. 28, 2025, 9:58 a.m.

Indicators

  • 2a0b:7140:6:1:5054:ff:fec2:7579
  • 2001:ac8:31:254:5835:61ba:6c91:5c29
  • 872a754101510bdc6c0f02399e44724f72922cd8066bdc8dcd75aa4b1f2e2268
  • 58cf64e33543791869a0f08776bcfe515fd6da36942045bed0ae0c21305442a5
  • 23.163.0.30
  • https://manyanshe.com/macdownloads/script_67a654802ba053.47547911.php
  • https://deepseek.exploreio.net
  • secure.toitoiiusa.com
  • manyanshe.com
  • deepseek.exploreio.net
  • jobstreet-storage.com
  • deepseek-storage.com
  • chatgpt-storage.com
  • calendly-storage.com
  • browser-storage.com
Download all indicators here!

Attack Patterns

  • Sneaky2FA