{ "type": "Domain", "indicator": "attlink.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/attlink.net", "alexa": "http://www.alexa.com/siteinfo/attlink.net", "indicator": "attlink.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4064341146, "indicator": "attlink.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "68122b6f06cbb5f973985fa8", "name": "Sneaky 2FA AiTM PhaaS", "description": "Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.", "modified": "2025-05-30T13:03:20.512000", "created": "2025-04-30T13:53:51.809000", "tags": [ "Sneaky2FA", "AiTM", "PhaaS", "Sneaky Log", "Telegram", "ReCaptcha", "M365", "Microsoft", "Microsoft 365", "Turnstile", "websocket", "obfuscated-js", "wikikit", "javascript", "Cloudflare", "AWS", "autograb" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365" ], "public": 1, "adversary": "Sneaky 2FA", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 167, "hostname": 12, "URL": 12, "FileHash-SHA256": 2 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Sneaky 2FA" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "68122b6f06cbb5f973985fa8", "name": "Sneaky 2FA AiTM PhaaS", "description": "Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.", "modified": "2025-05-30T13:03:20.512000", "created": "2025-04-30T13:53:51.809000", "tags": [ "Sneaky2FA", "AiTM", "PhaaS", "Sneaky Log", "Telegram", "ReCaptcha", "M365", "Microsoft", "Microsoft 365", "Turnstile", "websocket", "obfuscated-js", "wikikit", "javascript", "Cloudflare", "AWS", "autograb" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365" ], "public": 1, "adversary": "Sneaky 2FA", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 167, "hostname": 12, "URL": 12, "FileHash-SHA256": 2 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "attlink.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "attlink.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780219155.1271138 }