Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that has been targeting Microsoft 365 accounts to steal credentials and two-factor authentication (2FA) codes since at least October 2024.
The new phishing kit was named Sneaky 2FA by French cybersecurity company Sekoia, which discovered it in the wild in December. As of this month, nearly 100 domains have been identified as hosting Sneaky 2FA phishing pages, indicating moderate threat acceptance.
“This kit is sold as Phishing as a Service (PhaaS) by Sneaky Log, a cybercrime service that operates through a fully functional bot on Telegram,” the company said in a statement. said in the analysis. “Customers are reportedly accessing a license-obfuscated version of the source code and deploying it themselves.”
Phishing companies have been seen sending payment receipt emails to trick recipients into opening fake PDF documents containing a QR code that, when scanned, redirects them to Sneaky 2FA pages.
Sekoia said phishing pages are hosted on compromised infrastructure, mostly involving WordPress websites and other domains controlled by the attacker. Fake authentication pages are designed to automatically fill in the victim’s email address to increase their legitimacy.
The suite also boasts several anti-bot and analysis measures that use techniques such as traffic filtering and Cloudflare Turnstile calls to ensure that only victims who meet certain criteria are directed to credential harvesting pages. In addition, it runs a series of checks to detect and counter analysis attempts by the web browser’s developer tools.
A distinctive aspect of PhaaS is that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-affiliated Wikipedia page using the href(.)li redirect service. This led TRAC Labs to give it a name WikiKit.
“The Sneaky 2FA phishing kit uses multiple blurred images as backgrounds for fake Microsoft authentication pages,” Sekoya explained. “Using screenshots of legitimate Microsoft interfaces, this tactic is designed to force users to authenticate in order to access obfuscated content.”
Further investigation revealed that the phishing kit relies on verifying with a central server, likely an operator, to ensure that the subscription is active. This means that only customers with a valid license key can use Sneaky 2FA to conduct phishing campaigns. The set is advertised for $200 per month.
That’s not all. Source code links were also found pointing to a phishing syndicate under the name Shop W3LLwhich was previously exposed by Group-IB in September 2023. as the one behind a phishing kit called W3LL Panel and various tools for conducting Business Email Hacking (BEC) attacks.
This, along with the similarities in the AitM relay implementation, also raised the possibility that Sneaky 2FA could be based on the W3LL panel. The latter also operates under a similar licensing model, requiring periodic checks via a central server.
An interesting twist is that some Sneaky 2FA domains have previously been linked to known AitM phishing kits such as Evilginx2 and The size – a sign that at least a few cybercriminals have switched to the new service.
“The phishing kit uses different hard-coded User-Agent strings for HTTP requests depending on the stage of the authentication flow,” the Sekoia researchers said. “This behavior is rarely seen in legitimate user authentication, as the user would have to perform successive authentication steps from different web browsers.”
“While User-Agent transitions occasionally occur in legitimate situations (such as authentication initiated in desktop applications that launch a web browser or WebView to handle MFA), the particular User-Agent sequence used by Sneaky 2FA, does not correspond to a realistic scenario, and offers a highly accurate detection of the kit.”
