Pulse Detail — Threat Intelligence

PULSE NAME

Sneaky 2FA AiTM PhaaS

WHITE Sneaky 2FA v0od0o.exe 2025-04-30 Modified: 2025-05-30

193

IOCs

HIGH VOLUME

Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1539 T1114 T1534 T1098 T1566 T1078

Indicators of Compromise (193)

All domain hostname URL FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	africanagrirnarket.com	—	2025-04-30
domain	alliedhealthcaresolution.com	—	2025-04-30
domain	allorganichome.com	—	2025-04-30
domain	allorganicitems.com	—	2025-04-30
domain	allorginichomes.xyz	—	2025-04-30
domain	apppowerappsportals.top	—	2025-04-30
domain	auxin.co.in	—	2025-04-30
domain	aweitapp.com	—	2025-04-30
domain	baptihealth.com	—	2025-04-30
domain	bhlergroup.com	—	2025-04-30
domain	carpetcleaningmanitoba.ca	—	2025-04-30
domain	cchosting.co.za	—	2025-04-30
domain	claytoncontsruction.net	—	2025-04-30
domain	cnphys.com	—	2025-04-30
domain	coysem.com	—	2025-04-30
domain	desirenetwork.in	—	2025-04-30
domain	docsafybeifur2mabbggrihscauthenticnotes.online	—	2025-04-30
domain	docuinshare.top	—	2025-04-30
domain	dolh6growth.online	—	2025-04-30
domain	drgoelsdmd.com	—	2025-04-30
domain	drop-project.top	—	2025-04-30
domain	emailsay.com	—	2025-04-30
domain	emea-nec.com	—	2025-04-30
domain	erhakalip.com	—	2025-04-30
domain	eto1908.org	—	2025-04-30
domain	files42.com	—	2025-04-30
domain	florenceorganics.us	—	2025-04-30
domain	forcainvicta.com.br	—	2025-04-30
domain	funnelflex.co	—	2025-04-30
domain	glamorouslengths.ru	—	2025-04-30
domain	glamorouslengths.su	—	2025-04-30
domain	globalservicesqtr.com	—	2025-04-30
domain	greyscaleal.com	—	2025-04-30
domain	guardiansresearch.org	—	2025-04-30
domain	historischeverenigingmarum.online	—	2025-04-30
domain	intertrustsgroup.com	—	2025-04-30
domain	iziloyer.com	—	2025-04-30
domain	kagumigroup.id	—	2025-04-30
domain	leanstartupatelier.co	—	2025-04-30
domain	lovencareurology.in	—	2025-04-30
domain	matcocomponent.com	—	2025-04-30
domain	may-april.com	—	2025-04-30
domain	meliorahospital.com	—	2025-04-30
domain	metin2odisey.com	—	2025-04-30
domain	ms-consulting-dom.fr	—	2025-04-30
domain	mscserv.com	—	2025-04-30
domain	mysilverfox.com.my	—	2025-04-30
domain	nashnights.com	—	2025-04-30
domain	oempcworlds.org	—	2025-04-30
domain	ohconnects.org	—	2025-04-30
domain	omnirayoprah.cfd	—	2025-04-30
domain	organichoicehome.com	—	2025-04-30
domain	outsourcel.com.au	—	2025-04-30
domain	pipaltree.ngo	—	2025-04-30
domain	portalpowerfiles.top	—	2025-04-30
domain	portalpowerstorages.top	—	2025-04-30
domain	powa.co.zw	—	2025-04-30
domain	printserve.co.ke	—	2025-04-30
domain	profitminers.in	—	2025-04-30
domain	reintergestna.org	—	2025-04-30
domain	reliant-rehabs.com	—	2025-04-30
domain	rockandrevenue.com	—	2025-04-30
domain	rurrasqueamos.click	—	2025-04-30
domain	senangwasap.com	—	2025-04-30
domain	snatched-beautybar.com	—	2025-04-30
domain	sneakylog.store	—	2025-04-30
domain	stillmanconsulting.net	—	2025-04-30
domain	storageorder.sbs	—	2025-04-30
domain	sukrajclasses.com	—	2025-04-30
domain	sysarchirnc.com	—	2025-04-30
domain	tesla-apply-job.com	—	2025-04-30
domain	thewoodlandretreat.in	—	2025-04-30
domain	thumenectrics.es	—	2025-04-30
domain	tvsyndciate.com	—	2025-04-30
domain	unalkardesler.net	—	2025-04-30
domain	urbanumbrella.org	—	2025-04-30
domain	usfightingsystems.com	—	2025-04-30
domain	vlsbali.com	—	2025-04-30
domain	webitww.com	—	2025-04-30
domain	welcomehomeproject.org	—	2025-04-30
domain	windstreaim.com	—	2025-04-30
domain	wordtex.com	—	2025-04-30
domain	wwgle.com	—	2025-04-30
domain	yaharaho.com	—	2025-04-30
domain	yogatrapezepoint.com	—	2025-04-30
domain	yugaljeeautomotive.com	—	2025-04-30
domain	yushengusa.com	—	2025-04-30
hostname	hsrcxeeae.mypi.co	—	2025-04-30
hostname	loginoffice365commonauth00000365user1153196333.empreendendocomgrafica.com	—	2025-04-30
hostname	loginoffice365commonauth00000365user6867620079.empreendendocomgrafica.com	—	2025-04-30
hostname	o7t5dgbx-staging.dreamwp.com	—	2025-04-30
hostname	ol.advanceplastics-ke.com	—	2025-04-30
hostname	www.fabribat.com	—	2025-04-30
hostname	www.northernaid.org	—	2025-04-30
URL	https://highnationservices.com/n/	—	2025-04-30
URL	https://highnationservices.com/n/uswDOVS70y9sjyPwtLieCJdZiEUGhokxRUvY7JApYlFo35Sb9o66AvhK8oNrHPTgj9aaJDHItTWDnPOo3t4mz8Tfhf7GBem0YE1cqx8O13VoKuWIbN4knGg6fRrvMIZXRQ2xgdEFzj2mVBzwSbpe5c/validate	—	2025-04-30
FileHash-SHA256	5d91563b6acd54468ae282083cf9ee3d2c9b2daa45a8de9cb661c2195b9f6cbf	—	2025-04-30
FileHash-SHA256	8c4e78b1bc0a0923fccc0cd2d7ca06023b6ab15af079e6b19d7d5d2fddc5488d	—	2025-04-30
URL	http://128.0.0.0/	—	2025-04-30
URL	http://129.0.0.0/	—	2025-04-30
URL	http://185.125.100.81/api/key	—	2025-04-30
URL	http://193.36.38.116:5000/	—	2025-04-30
URL	https://b.leadbi.com/l/44e234ab-9118-47ed-a1a1-ca66f913c271.html?next=https://highnationservices.com/n/	—	2025-04-30
URL	https://kagumigroup.id/wp-content/plugins/well/auth/j9P8KGpfDZyoHplo5XdnHOw79OCkDYo2l7TQcrrnclSz2XGLzmtCghFJwIWR1AaW33Rk36Z0ymZc6DIgMy4EFqTsiiqAKEBIN5jiTbYAUk1BfG4uoVhetLa2XWebUSShQOFq7L8Mpx1vf4Pum0xBVx/verify	—	2025-04-30
URL	https://mysilverfox.com.my/00/	—	2025-04-30
URL	https://mysilverfox.com.my/00/7N0tV3XAh1yp4NFo9X6YsH3cOam6DYJhmMEXRky24mzGUuTE2RpwIIlI4olBypVCEYqiKFPDTAsRvKrS8bgiKBOZiPOUnxoCSHveA0zk5hcdjQ1UltSxdw7rdgZoo7HDWorfj9CzN8gc0q5PQ19nZe/index	—	2025-04-30
URL	https://sneakylog.store/api/key	—	2025-04-30
URL	https://trac-labs.com/wikikit-aitm-phishing-kit-where-links-tell-lies-abdea71ba094	—	2025-04-30
domain	highnationservices.com	—	2025-04-30
domain	trac-labs.com	—	2025-04-30
domain	w3ll.store	—	2025-04-30
hostname	b.leadbi.com	—	2025-04-30
hostname	office365.context.correlation.id	—	2025-04-30
domain	383520.xyz	—	2025-04-30
domain	478237832mains.com	—	2025-04-30
domain	aaeipsa.com	—	2025-04-30
domain	acctingreceivables.com	—	2025-04-30
domain	adasmckinleys.org	—	2025-04-30
domain	aliccom.com	—	2025-04-30
domain	andruszz.com	—	2025-04-30
domain	attlink.net	—	2025-04-30
domain	aviencez.com	—	2025-04-30
domain	bastadeinflacion.com	—	2025-04-30
domain	beehivedroned.org	—	2025-04-30
domain	bemadshop.net	—	2025-04-30
domain	bemadshop.org	—	2025-04-30
domain	biglpond.com	—	2025-04-30
domain	bobssrevices.com	—	2025-04-30
domain	buydentalbright.com	—	2025-04-30
domain	chadochki.ru	—	2025-04-30
domain	ct0s.cc	—	2025-04-30
domain	davidgeekideas.com	—	2025-04-30
domain	dillanddlil.com	—	2025-04-30
domain	dynalynk.org	—	2025-04-30
domain	dzokoreanbbq.com	—	2025-04-30
domain	enclaveon.com	—	2025-04-30
domain	enhancedz.org	—	2025-04-30
domain	excelfarmsincs.com	—	2025-04-30
domain	financialdocc.com	—	2025-04-30
domain	flexsjets.com	—	2025-04-30
domain	ganshuai.es	—	2025-04-30
domain	gehwha.com	—	2025-04-30
domain	gtcdistribution.com	—	2025-04-30
domain	harpurt.com	—	2025-04-30
domain	hazemaesauction.org	—	2025-04-30
domain	hesctonplum.org	—	2025-04-30
domain	hivedispenser.com	—	2025-04-30
domain	hmdepartments.com	—	2025-04-30
domain	imblager.ru	—	2025-04-30
domain	ip-ptr.tech	—	2025-04-30
domain	jeffcofirez.com	—	2025-04-30
domain	jirnhogg-cad.org	—	2025-04-30
domain	jlmoorenic.com	—	2025-04-30
domain	kemt.bike	—	2025-04-30
domain	krholdingcorp.com	—	2025-04-30
domain	kw0klaw.com	—	2025-04-30
domain	lentacfab.com	—	2025-04-30
domain	luminexcorps.com	—	2025-04-30
domain	marcianz.com	—	2025-04-30
domain	megamountains.com	—	2025-04-30
domain	mytraiscobremen.com	—	2025-04-30
domain	narohealthvalue.com	—	2025-04-30
domain	nashalliancez.com	—	2025-04-30
domain	newsportcomm.com	—	2025-04-30
domain	officecentrumsynot.com	—	2025-04-30
domain	offv2upgrade-associates.online	—	2025-04-30
domain	ovalwox.com	—	2025-04-30
domain	panasiancorps.net	—	2025-04-30
domain	pinewoodgolfmnz.com	—	2025-04-30
domain	pressureworth.org	—	2025-04-30
domain	pronkoenterprise.com	—	2025-04-30
domain	ptfjanesvilles.org	—	2025-04-30
domain	puxa-sporting.com	—	2025-04-30
domain	rautitan.ru	—	2025-04-30
domain	renaissancemantenance.com	—	2025-04-30
domain	rhenus.team	—	2025-04-30
domain	ruesswe.org	—	2025-04-30
domain	sharingviewtrakr.world	—	2025-04-30
domain	shuabins.com	—	2025-04-30
domain	signregyinc.com	—	2025-04-30
domain	spsursfaces.com	—	2025-04-30
domain	stationshouston.com	—	2025-04-30
domain	surajufirm.org	—	2025-04-30
domain	theparadeofhomes.com	—	2025-04-30
domain	therenoviz.org	—	2025-04-30
domain	toitoiiusa.com	—	2025-04-30
domain	topseotraineez.com	—	2025-04-30
domain	trmrooflng.com	—	2025-04-30
domain	usiness.online	—	2025-04-30
domain	vectorizier.com	—	2025-04-30
hostname	sss.hs.vc	—	2025-04-30
hostname	rnail365.it.com	—	2025-04-30
hostname	test.businesssurveyor.sbs	—	2025-04-30

References (6)

↗ https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/ ↗ https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa ↗ https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit ↗ https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/ ↗ https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/ ↗ https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365