In early February 2025, the eSentire Threat Response Unit detected a user accessing a phishing site associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication. The attack involved a spam email with a link to a phishing PDF in OneDrive, redirecting users to a fake Office 365 page. Sneaky2FA uses Cloudflare Turnstile to prevent scanners from accessing the phishing page. The kit captures user credentials and 2FA codes, providing operators with session cookies for unauthorized access. Phishing operators were observed using stolen cookies to add MFA methods, hiding behind VPN and proxy services. The sophisticated nature of Sneaky2FA allows damaging follow-on activities such as email exfiltration, spam, and BEC attacks.