{ "type": "Domain", "indicator": "apremis.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/apremis.com", "alexa": "http://www.alexa.com/siteinfo/apremis.com", "indicator": "apremis.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4024977198, "indicator": "apremis.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "677fdd336157f9f05802d4a2", "name": "Mamba 2FA PhaaS", "description": "Mamba 2FA is an adversary-in-the-middle (AiTM) phishing kit sold as phishing-as-a-service (PhaaS) discovered by Sekoia's Threat Detection & Research (TDR) team in late May 2024. Mamba 2FA mimics Microsoft 365 login pages and uses HTML attachments to trick users into entering their credentials. Once captured, the attackers bypass two-factor authentication (2FA) and gain access to the victim's accounts.\n\nLike other similar PhaaS platforms, it uses proxy relays to conduct AiTM phishing attacks, allowing the threat actors to access one-time passcodes and authentication cookies. The AiTM mechanism uses the Socket.IO JavaScript library to communicate between the phishing page and relay servers, which then communicate with Microsoft's servers using the stolen data.\n\nCaptured credentials and cookies are transmitted to the attacker through a Telegram bot, enabling them to initiate a session immediately.\n\nMamba 2FA also features sandbox detection, redirecting users to Google 404 webpages when under analysis.", "modified": "2025-02-28T14:42:33.285000", "created": "2025-01-09T14:29:07.486000", "tags": [ "mamba", "microsoft", "entra id", "cve202450623", "cve202455956", "mamba2fa", "M365", "Microsoft 365", "O365", "Office 365", "phishing", "AiTM", "PhaaS", "sandbox detection", "redirect", "socket.io", "javascript", "iproyal", "proxy" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/", "https://darktrace.com/blog/a-snake-in-the-net-defending-against-aitm-phishing-threats-and-mamba-2fa", "https://www.kqlsearch.com/query/Detecting%20Mamba%202fa%20Phishing-as-a-service&cm20830iz01o2mc0py6yvsi2i", "https://www.obsidiansecurity.com/blog/mamba-2fa-phishing-kit-why-email-protection-is-not-enough/", "https://circleid.com/posts/a-dns-investigation-into-mamba-the-latest-aitm-phishing-player", "https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/" ], "public": 1, "adversary": "Mamba 2FA", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 57, "CVE": 2, "email": 3, "hostname": 1 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://circleid.com/posts/a-dns-investigation-into-mamba-the-latest-aitm-phishing-player", "https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/", "https://darktrace.com/blog/a-snake-in-the-net-defending-against-aitm-phishing-threats-and-mamba-2fa", "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/", "https://www.obsidiansecurity.com/blog/mamba-2fa-phishing-kit-why-email-protection-is-not-enough/", "https://www.kqlsearch.com/query/Detecting%20Mamba%202fa%20Phishing-as-a-service&cm20830iz01o2mc0py6yvsi2i" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Mamba 2FA" ], "malware_families": [ "Mamba 2fa" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "677fdd336157f9f05802d4a2", "name": "Mamba 2FA PhaaS", "description": "Mamba 2FA is an adversary-in-the-middle (AiTM) phishing kit sold as phishing-as-a-service (PhaaS) discovered by Sekoia's Threat Detection & Research (TDR) team in late May 2024. Mamba 2FA mimics Microsoft 365 login pages and uses HTML attachments to trick users into entering their credentials. Once captured, the attackers bypass two-factor authentication (2FA) and gain access to the victim's accounts.\n\nLike other similar PhaaS platforms, it uses proxy relays to conduct AiTM phishing attacks, allowing the threat actors to access one-time passcodes and authentication cookies. The AiTM mechanism uses the Socket.IO JavaScript library to communicate between the phishing page and relay servers, which then communicate with Microsoft's servers using the stolen data.\n\nCaptured credentials and cookies are transmitted to the attacker through a Telegram bot, enabling them to initiate a session immediately.\n\nMamba 2FA also features sandbox detection, redirecting users to Google 404 webpages when under analysis.", "modified": "2025-02-28T14:42:33.285000", "created": "2025-01-09T14:29:07.486000", "tags": [ "mamba", "microsoft", "entra id", "cve202450623", "cve202455956", "mamba2fa", "M365", "Microsoft 365", "O365", "Office 365", "phishing", "AiTM", "PhaaS", "sandbox detection", "redirect", "socket.io", "javascript", "iproyal", "proxy" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/", "https://darktrace.com/blog/a-snake-in-the-net-defending-against-aitm-phishing-threats-and-mamba-2fa", "https://www.kqlsearch.com/query/Detecting%20Mamba%202fa%20Phishing-as-a-service&cm20830iz01o2mc0py6yvsi2i", "https://www.obsidiansecurity.com/blog/mamba-2fa-phishing-kit-why-email-protection-is-not-enough/", "https://circleid.com/posts/a-dns-investigation-into-mamba-the-latest-aitm-phishing-player", "https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/" ], "public": 1, "adversary": "Mamba 2FA", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 57, "CVE": 2, "email": 3, "hostname": 1 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "apremis.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "apremis.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780454545.4995482 }