← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Sneaky 2FA AiTM PhaaS
WHITE Sneaky 2FA v0od0o.exe 2025-04-30 Modified: 2025-05-30
193
IOCs
HIGH VOLUME
Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.
Sneaky2FAAiTMPhaaSSneaky LogTelegramReCaptchaM365MicrosoftMicrosoft 365Turnstilewebsocketobfuscated-jswikikitjavascriptCloudflareAWSautograb
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (2 / 193 total)
All domain hostname URL FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 5d91563b6acd54468ae282083cf9ee3d2c9b2daa45a8de9cb661c2195b9f6cbf 2025-04-30
FileHash-SHA256 8c4e78b1bc0a0923fccc0cd2d7ca06023b6ab15af079e6b19d7d5d2fddc5488d 2025-04-30
References (6)
↗ https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/ ↗ https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa ↗ https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit ↗ https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/ ↗ https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/ ↗ https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365