A recent discovery by the Sekoia Threat Detection & Research (TDR) team has revealed the emergence of a sophisticated phishing-as-a-service (PhaaS) kit known as Mamba 2FA, specifically designed to target Microsoft 365 users. This kit, available for a monthly fee of $250 on various underground cybercrime forums, utilizes a range of convincing adversary-in-the-middle (AitM) disguises to deceive unsuspecting victims.
One of the key features of Mamba 2FA is its ability to generate multiple fake login pages that closely resemble legitimate Microsoft 365 services. These fraudulent pages can mimic popular platforms such as OneDrive, SharePoint Online secure links, or generic Microsoft sign-in pages. Additionally, the kit can also present users with a fake voicemail retrieval link, which upon clicking, redirects them to a bogus sign-in page. To add to the authenticity of these pages, Mamba 2FA dynamically incorporates branding elements like logos and background images to mirror those of the targeted enterprise.
What sets Mamba 2FA apart from traditional phishing techniques is its capability to bypass two-factor authentication (2FA) methods that rely on one-time codes and app notifications. The kit also supports a wide range of authentication protocols, including Entra ID, AD FS, third-party single sign-on (SSO) providers, and even consumer Microsoft accounts. Upon successful phishing attempts, Mamba 2FA is able to snatch user credentials and cookies, which are then promptly transmitted to the attacker via a Telegram bot.
Interestingly, the origins of Mamba 2FA trace back to as early as March, as reported by Sekoia’s analysis. However, further investigation revealed that this malicious kit has been actively used in phishing campaigns since November 2023. The operator behind this service previously operated on the now-defunct messaging platform ICQ before transitioning to Telegram. This shift in platforms suggests a strategic move towards a more secure and encrypted communication channel for selling Mamba 2FA.
The rise of PhaaS kits like Mamba 2FA underscores the evolving threats faced by organizations and individuals in the digital age. As cybercriminals continue to refine their tactics and tools, it has become imperative for users to remain vigilant and adopt best practices to protect themselves from falling victim to such elaborate scams. The collaboration between security researchers and threat intelligence teams plays a crucial role in identifying and mitigating emerging threats like Mamba 2FA, ultimately safeguarding the digital ecosystem against malicious actors.