In a recent discovery by French cybersecurity company Sekoia, a new phishing kit called Sneaky 2FA has been identified as a threat to Microsoft 365 accounts. This kit is being utilized in various phishing campaigns, with nearly 100 domains hosting related phishing pages as of January 2025. Sneaky 2FA is sold as a phishing-as-a-service through a Telegram bot named “Sneaky Log,” providing customers with an obfuscated version of the source code for independent deployment.
The primary method employed by these phishing campaigns involves sending payment receipt emails to potential victims, enticing them to open malicious PDF attachments. These attachments contain QR codes that redirect users to Sneaky 2FA’s phishing pages, which are designed to replicate legitimate Microsoft login interfaces. These fake authentication pages are hosted on compromised infrastructure, often utilizing WordPress sites and other attacker-controlled domains. To further deceive victims, the pages automatically populate the victim’s email address to enhance legitimacy and trick them into divulging their credentials.
To ensure that only targeted victims are directed to the phishing pages, Sneaky 2FA incorporates various anti-bot and anti-analysis techniques. These measures include traffic filtering, Cloudflare Turnstile challenges, and checks to detect any attempts to analyze the phishing kit using developer tools. If the victim’s IP address is associated with a cloud provider or proxy service, they are redirected to a Microsoft-related Wikipedia page instead, a strategy that has earned the kit the moniker “WikiKit.” Moreover, Sneaky 2FA requires validation of an active subscription through a central server, necessitating a valid license key for operation.
Interestingly, some of the domains used by Sneaky 2FA were previously linked to other adversary-in-the-middle (AitM) phishing kits like Evilginx2 and Greatness, indicating a potential migration of cybercriminals to this new service. Despite sharing some code similarities with the W3LL Panel phishing kit, Sneaky 2FA is distinct with its own unique functionalities. Researchers have highlighted specific behaviors of the kit, such as utilizing different User-Agent strings for authentication steps, which can aid in its detection.
The emergence of Sneaky 2FA underscores the evolving landscape of phishing attacks, showcasing cybercriminals’ adaptation to security measures and their persistence in targeting Microsoft 365 users. As organizations and individuals navigate the digital realm, staying vigilant against such sophisticated threats remains paramount for safeguarding sensitive information and preventing unauthorized access to accounts.