Cybersecurity researchers have uncovered a new Adversary-in-the-Middle (AitM) phishing kit named Sneaky 2FA, designed to steal Microsoft 365 credentials and two-factor authentication (2FA) codes. French cybersecurity firm Sekoia identified the kit, active since October 2024, and discovered nearly 100 domains hosting related phishing pages. The phishing kit includes references to W3LL Store, a known phishing syndicate behind the W3LL Panel, raising suspicions that Sneaky 2FA is based on similar technology. Some domains linked to Sneaky 2FA were previously tied to older AitM kits like Evilginx2 and Greatness, indicating a shift among cybercriminals to the newer service. Campaigns leveraging Sneaky 2FA use QR codes embedded in fake payment receipt emails to lure victims. These codes redirect users to phishing pages to harvest credentials and bypass 2FA protections.