Mamba 2FA is an adversary-in-the-middle (AiTM) phishing kit sold as phishing-as-a-service (PhaaS) discovered by Sekoia's Threat Detection & Research (TDR) team in late May 2024. Mamba 2FA mimics Microsoft 365 login pages and uses HTML attachments to trick users into entering their credentials. Once captured, the attackers bypass two-factor authentication (2FA) and gain access to the victim's accounts. Like other similar PhaaS platforms, it uses proxy relays to conduct AiTM phishing attacks, allowing the threat actors to access one-time passcodes and authentication cookies. The AiTM mechanism uses the Socket.IO JavaScript library to communicate between the phishing page and relay servers, which then communicate with Microsoft's servers using the stolen data. Captured credentials and cookies are transmitted to the attacker through a Telegram bot, enabling them to initiate a session immediately. Mamba 2FA also features sandbox detection, redirecting users to Google 404 webpages when under analysis.