A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authenticates with Microsoft APIs, and employs various obfuscation techniques. The phishing pages are typically hosted on compromised WordPress sites or attacker-controlled domains. The kit appears to be based on the W3LL OV6 phishing kit codebase. Sneaky Log's operations include selling tools like the AiTM phishing kit, an email sender, and redirect/attachment services. The service uses multiple cryptocurrencies for payments and may employ transaction obfuscation mechanisms.