Pulse Detail — Threat Intelligence

PULSE NAME

Sneaky2FA

WHITE Sneaky Log KorporateKevin 2026-05-27 Modified: 2026-05-27

115

IOCs

HIGH VOLUME

Sneaky2FA is an adversary-in-the-middle (AiTM) phishing-as-a-service (PhaaS) kit targeting Microsoft 365 accounts, first detailed by Sekoia in January 2025 and active since at least October 2024. Operated by the "Sneaky Log" group and sold via a Telegram bot for around $200/month, it proxies authentication in real time to steal credentials and session cookies, bypassing MFA. Pages are typically hosted on compromised WordPress sites, pre-populate the victim's email, and use blurred Microsoft screenshots as backgrounds. Evasion includes Cloudflare Turnstile, CAPTCHA, IP filtering, and redirects of sandbox/analyst traffic to benign sites, plus heavy code obfuscation and rapid domain rotation. As of November 2025, the kit added Browser-in-the-Browser (BitB) pop-ups that spoof the Microsoft login window and address bar.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1566.002 T1557 T1539 T1550.004 T1606.001 T1078.004 T1027 T1497 T1583.001 T1584.006

MALWARE FAMILIES

Sneaky2FA Sneaky 2FA

Indicators of Compromise (115)

All domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	apppowerappsportals.top	—	2026-05-27
domain	lovencareurology.in	—	2026-05-27
domain	allorginichomes.xyz	—	2026-05-27
domain	baptihealth.com	—	2026-05-27
domain	africanagrirnarket.com	—	2026-05-27
domain	alliedhealthcaresolution.com	—	2026-05-27
domain	florenceorganics.us	—	2026-05-27
domain	auxin.co.in	—	2026-05-27
domain	profitminers.in	—	2026-05-27
domain	metin2odisey.com	—	2026-05-27
domain	northernaid.org	—	2026-05-27
domain	yaharaho.com	—	2026-05-27
domain	thewoodlandretreat.in	—	2026-05-27
domain	meliorahospital.com	—	2026-05-27
domain	desirenetwork.in	—	2026-05-27
domain	erhakalip.com	—	2026-05-27
domain	iziloyer.com	—	2026-05-27
domain	printserve.co.ke	—	2026-05-27
domain	rockandrevenue.com	—	2026-05-27
domain	fabribat.com	—	2026-05-27
domain	unalkardesler.net	—	2026-05-27
domain	docsafybeifur2mabbggrihscauthenticnotes.online	—	2026-05-27
hostname	hsrcxeeae.mypi.co	—	2026-05-27
domain	africanagrirnarket.com	—	2026-05-27
domain	alliedhealthcaresolution.com	—	2026-05-27
domain	allorganichome.com	—	2026-05-27
domain	allorganicitems.com	—	2026-05-27
domain	allorginichomes.xyz	—	2026-05-27
domain	apppowerappsportals.top	—	2026-05-27
domain	auxin.co.in	—	2026-05-27
domain	aweitapp.com	—	2026-05-27
domain	baptihealth.com	—	2026-05-27
domain	bhlergroup.com	—	2026-05-27
domain	carpetcleaningmanitoba.ca	—	2026-05-27
domain	cchosting.co.za	—	2026-05-27
domain	claytoncontsruction.net	—	2026-05-27
domain	cnphys.com	—	2026-05-27
domain	coysem.com	—	2026-05-27
domain	desirenetwork.in	—	2026-05-27
domain	docsafybeifur2mabbggrihscauthenticnotes.online	—	2026-05-27
domain	docuinshare.top	—	2026-05-27
domain	dolh6growth.online	—	2026-05-27
domain	drgoelsdmd.com	—	2026-05-27
domain	drop-project.top	—	2026-05-27
domain	emailsay.com	—	2026-05-27
domain	emea-nec.com	—	2026-05-27
domain	erhakalip.com	—	2026-05-27
domain	eto1908.org	—	2026-05-27
domain	files42.com	—	2026-05-27
domain	florenceorganics.us	—	2026-05-27
domain	forcainvicta.com.br	—	2026-05-27
domain	funnelflex.co	—	2026-05-27
domain	glamorouslengths.ru	—	2026-05-27
domain	glamorouslengths.su	—	2026-05-27
domain	globalservicesqtr.com	—	2026-05-27
domain	greyscaleal.com	—	2026-05-27
domain	guardiansresearch.org	—	2026-05-27
domain	historischeverenigingmarum.online	—	2026-05-27
domain	intertrustsgroup.com	—	2026-05-27
domain	iziloyer.com	—	2026-05-27
domain	kagumigroup.id	—	2026-05-27
domain	leanstartupatelier.co	—	2026-05-27
domain	lovencareurology.in	—	2026-05-27
domain	matcocomponent.com	—	2026-05-27
domain	may-april.com	—	2026-05-27
domain	meliorahospital.com	—	2026-05-27
domain	metin2odisey.com	—	2026-05-27
domain	ms-consulting-dom.fr	—	2026-05-27
domain	mscserv.com	—	2026-05-27
domain	mysilverfox.com.my	—	2026-05-27
domain	nashnights.com	—	2026-05-27
domain	oempcworlds.org	—	2026-05-27
domain	ohconnects.org	—	2026-05-27
domain	omnirayoprah.cfd	—	2026-05-27
domain	organichoicehome.com	—	2026-05-27
domain	outsourcel.com.au	—	2026-05-27
domain	pipaltree.ngo	—	2026-05-27
domain	portalpowerfiles.top	—	2026-05-27
domain	portalpowerstorages.top	—	2026-05-27
domain	powa.co.zw	—	2026-05-27
domain	printserve.co.ke	—	2026-05-27
domain	profitminers.in	—	2026-05-27
domain	reintergestna.org	—	2026-05-27
domain	reliant-rehabs.com	—	2026-05-27
domain	rockandrevenue.com	—	2026-05-27
domain	rurrasqueamos.click	—	2026-05-27
domain	senangwasap.com	—	2026-05-27
domain	snatched-beautybar.com	—	2026-05-27
domain	stillmanconsulting.net	—	2026-05-27
domain	storageorder.sbs	—	2026-05-27
domain	sukrajclasses.com	—	2026-05-27
domain	sysarchirnc.com	—	2026-05-27
domain	thewoodlandretreat.in	—	2026-05-27
domain	thumenectrics.es	—	2026-05-27
domain	tvsyndciate.com	—	2026-05-27
domain	unalkardesler.net	—	2026-05-27
domain	urbanumbrella.org	—	2026-05-27
domain	usfightingsystems.com	—	2026-05-27
domain	vlsbali.com	—	2026-05-27
domain	webitww.com	—	2026-05-27
domain	welcomehomeproject.org	—	2026-05-27
domain	windstreaim.com	—	2026-05-27
domain	wordtex.com	—	2026-05-27
domain	wwgle.com	—	2026-05-27
domain	yaharaho.com	—	2026-05-27
domain	yogatrapezepoint.com	—	2026-05-27
domain	yugaljeeautomotive.com	—	2026-05-27
domain	yushengusa.com	—	2026-05-27
hostname	hsrcxeeae.mypi.co	—	2026-05-27
hostname	loginoffice365commonauth00000365user1153196333.empreendendocomgrafica.com	—	2026-05-27
hostname	loginoffice365commonauth00000365user6867620079.empreendendocomgrafica.com	—	2026-05-27
hostname	o7t5dgbx-staging.dreamwp.com	—	2026-05-27
hostname	ol.advanceplastics-ke.com	—	2026-05-27
hostname	www.fabribat.com	—	2026-05-27
hostname	www.northernaid.org	—	2026-05-27

References (1)

↗ https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/