The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts
Threat Group: Sneaky Log
Threat Type: Phishing-as-a-Service (PhaaS) Platform
Exploited Vulnerabilities: Two-Factor Authentication (2FA) Mechanisms, User Trust
Malware Used: Sneaky 2FA Phishing Kit
Threat Score: High (8.5/10) – Due to its sophisticated methods to bypass 2FA and widespread targeting of essential communication platforms.
Last Threat Observation: January 18, 2025
Overview
The Sneaky 2FA phishing kit, also known as Tycoon 2FA, is an advanced Phishing-as-a-Service (PhaaS) platform that has been actively targeting Microsoft 365 and Gmail accounts since at least August 2023. This kit enables cybercriminals to bypass Two-Factor Authentication (2FA) by employing Adversary-in-the-Middle (AitM) techniques, thereby compromising accounts that rely on 2FA for security. The platform is marketed through a fully-featured bot on Telegram, making it accessible to a broad range of attackers.
The Sneaky 2FA phishing kit operates by intercepting user credentials and session cookies during the authentication process. Attackers distribute phishing emails containing QR codes or malicious links, leading victims to counterfeit authentication pages that closely mimic legitimate Microsoft 365 or Gmail login portals. Once users enter their credentials and 2FA codes, the kit captures this information, allowing attackers to gain unauthorized access to the accounts. Notably, the kit employs several anti-analysis measures, such as traffic filtering and Cloudflare Turnstile challenges, to evade detection and ensure that only genuine targets are directed to the credential harvesting pages.
Key Details
Delivery Method:
- Phishing emails containing QR codes that redirect users to counterfeit authentication pages.
- Compromised WordPress websites hosting malicious content.
Target:
- Users of Microsoft 365 and Gmail services.
Functions:
- Harvesting user credentials and session cookies.
- Bypassing 2FA by capturing authentication tokens.
- Employing anti-analysis measures to evade detection.
- Utilizing Cloudflare Turnstile challenges to filter traffic.
- Implementing obfuscated code to resist security analysis.
Obfuscation:
- The phishing kit uses obfuscated JavaScript and HTML code, which changes dynamically with each execution, making it difficult for security systems to detect and analyze the malicious activities.
Attack Vectors
The Sneaky 2FA phishing kit leverages a sophisticated multi-step process to exploit 2FA and gain unauthorized access to targeted accounts:
- Adversary-in-the-Middle Approach:
- The kit uses an AitM phishing technique that captures login credentials and 2FA codes during the authentication process. This allows attackers to gain access to accounts without having direct access to the user's device or login session.
- Malicious QR Code Campaigns:
- Phishing emails often include QR codes that redirect unsuspecting users to counterfeit Microsoft authentication pages. These QR codes provide an additional layer of deception, making it harder for users to recognize a phishing attempt.
- Compromised Websites as Hosting Platforms:
- The attackers leverage compromised WordPress sites and other vulnerable domains to host their phishing pages, ensuring a wide distribution network that is harder to trace and shut down.
- Session Cookie Theft:
- Once the user authenticates, the kit captures and exfiltrates session cookies. These stolen cookies enable attackers to impersonate the user, bypassing 2FA and maintaining persistent access to the victim's account.
- Traffic Filtering and Anti-Analysis Features:
- To evade detection, the phishing pages utilize advanced anti-bot measures, such as Cloudflare Turnstile challenges, and obfuscation techniques that disguise the true intent of the code. These features make it difficult for automated tools and researchers to identify and analyze the phishing operations.
Known Indicators of Compromise (IoCs)
Domains
| africanagrirnarket[.]com | alliedhealthcaresolution[.]com |
| allorganicitems[.]com | allorginichomes[.]xyz |
| apppowerappsportals[.]top | baptihealth[.]com |
| bhlergroup[.]com | claytoncontsruction[.]net |
| desirenetwork[.]in | docuinshare[.]top |
| dolh6growth[.]online | drop-project[.]top |
| emailsay[.]com | emea-nec[.]com |
| erhakalip[.]com | files42[.]com |
| florenceorganics[.]us | glamorouslengths[.]su |
| greyscaleal[.]com | guardiansresearch[.]org |
| intertrustsgroup[.]com | lovencareurology[.]in |
| matcocomponent[.]com | may-april[.]com |
| metin2odisey[.]com | ms-consulting-dom[.]fr |
| o7t5dgbx-staging[.]dreamwp[.]com | oempcworlds[.]org |
| ohconnects[.]org | ol[.]advanceplastics-ke[.]com |
| omnirayoprah[.]cfd | organichoicehome[.]com |
| outsourcel[.]com[.]au | portalpowerfiles[.]top |
| portalpowerstorages[.]top | profitminers[.]in |
| reintergestna[.]org | reliant-rehabs[.]com |
| rockandrevenue[.]com | rurrasqueamos[.]click |
| stillmanconsulting[.]net | storageorder[.]sbs |
| sysarchirnc[.]com | thumenectrics[.]es |
| tvsyndciate[.]com | urbanumbrella[.]org |
| usfightingsystems[.]com | webitww[.]com |
| welcomehomeproject[.]org | windstreaim[.]com |
| wwgle[.]com | yushengusa[.]com |
| docsafybeifur2mabbggrihscauthenticnotes[.]online | historischeverenigingmarum[.]online |
| loginoffice365commonauth00000365user1153196333[.]empreendendocomgrafica[.]com | loginoffice365commonauth00000365user6867620079[.]empreendendocomgrafica[.]com |
| allorganichome[.]com | auxin[.]co[.]in |
| aweitapp[.]com | carpetcleaningmanitoba[.]ca |
| cchosting[.]co[.]za | cnphys[.]com |
| coysem[.]com | drgoelsdmd[.]com |
| eto1908[.]org | forcainvicta[.]com[.]br |
| funnelflex[.]co | globalservicesqtr[.]com |
| iziloyer[.]com | kagumigroup[.]id |
| leanstartupatelier[.]co | meliorahospital[.]com |
| mscserv[.]com | mysilverfox[.]com[.]my |
| nashnights[.]com | pipaltree[.]ngo |
| powa[.]co[.]zw | printserve[.]co[.]ke |
| senangwasap[.]com | snatched-beautybar[.]com |
| sukrajclasses[.]com | thewoodlandretreat[.]in |
| unalkardesler[.]net | vlsbali[.]com |
| wordtex[.]com | www[.]fabribat[.]com |
| www[.]northernaid[.]org | yaharaho[.]com |
| yogatrapezepoint[.]com | yugaljeeautomotive[.]com |
IP Addresses and Hosts
- 101.99.92[.]124
- 185.125.100[.]81
- sneakylog[.]store
- tesla-apply-job[.]com
Mitigation and Prevention
- User Awareness:
- Conduct regular training sessions to help users identify phishing attempts, especially those involving QR codes or unexpected authentication requests.
- Email Filtering:
- Implement advanced email filtering solutions to detect and block phishing emails containing malicious links or attachments.
- Antivirus Protection:
- Deploy reputable antivirus and anti-malware solutions across all endpoints to detect and prevent the execution of malicious code.
- Two-Factor Authentication (2FA):
- Encourage the use of hardware-based 2FA methods, such as security tokens, which are less susceptible to phishing attacks compared to SMS or app-based codes.
- Monitor Logs:
- Regularly review authentication logs for unusual access patterns, such as logins from unfamiliar locations or devices.
- Regular Updates:
- Ensure that all systems, including content management platforms like WordPress, are updated promptly to mitigate vulnerabilities that could be exploited by attackers.
Risk Assessment
The Sneaky 2FA phishing kit poses a significant threat due to its ability to bypass standard 2FA protections, which are widely relied upon to secure user accounts. By compromising essential communication platforms like Microsoft 365 and Gmail, successful attacks can lead to unauthorized access to sensitive information, data breaches, and potential financial losses. The accessibility of this PhaaS platform lowers the barrier for cybercriminals, increasing the likelihood of widespread attacks.
Conclusion
The emergence of the Sneaky 2FA phishing kit underscores the evolving tactics of cybercriminals in circumventing security measures like Two-Factor Authentication. Organizations and individuals must remain vigilant, adopting comprehensive security practices that include user education, robust email filtering, advanced authentication methods, and continuous monitoring of access logs. Staying informed about such threats and proactively implementing mitigation strategies are crucial steps in safeguarding digital assets against sophisticated phishing attacks.
Sources: