In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks. Author: AlienVault
Related Tags:
session cookies
Sneaky2FA
office 365
phaas
T1534
T1098
T1539
T1078
T1114
Associated Indicators:
872A754101510BDC6C0F02399E44724F72922CD8066BDC8DCD75AA4B1F2E2268
2ACD4A7FFB26DEEFF5ADB22635564679500A9144
5B049B18A1874083935BFF3D8572F69C
browser-storage.com
jobstreet-storage.com
manyanshe.com
deepseek-storage.com
calendly-storage.com
chatgpt-storage.com