Mamba 2FA is a newly discovered adversary-in-the-middle (AiTM) phishing kit being sold as phishing-as-a-service (PhaaS). It features capabilities similar to other popular AiTM phishing services, including handling two-step verifications for non-phishing-resistant MFA methods, supporting various authentication systems, and dynamically reflecting organization branding. The kit uses a two-layer infrastructure consisting of link domains and relay servers, leveraging the Socket.IO protocol for communication. Mamba 2FA has been active since at least November 2023 and is commercialized through Telegram. The phishing pages mimic Microsoft 365 services and use sophisticated techniques to evade detection, including HTML attachments with obfuscated content.