{ "type": "Domain", "indicator": "fourthmanservice.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/fourthmanservice.com", "alexa": "http://www.alexa.com/siteinfo/fourthmanservice.com", "indicator": "fourthmanservice.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3815229482, "indicator": "fourthmanservice.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "67043ed32987b7679a2bacd8", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem", "description": "Mamba 2FA is a newly discovered adversary-in-the-middle (AiTM) phishing kit being sold as phishing-as-a-service (PhaaS). It features capabilities similar to other popular AiTM phishing services, including handling two-step verifications for non-phishing-resistant MFA methods, supporting various authentication systems, and dynamically reflecting organization branding. The kit uses a two-layer infrastructure consisting of link domains and relay servers, leveraging the Socket.IO protocol for communication. Mamba 2FA has been active since at least November 2023 and is commercialized through Telegram. The phishing pages mimic Microsoft 365 services and use sophisticated techniques to evade detection, including HTML attachments with obfuscated content.", "modified": "2024-11-06T20:03:37.593000", "created": "2024-10-07T20:04:35.808000", "tags": [ "aitm", "evasion techniques", "phishing", "socket.io", "microsoft 365", "multi-factor authentication", "phaas", "mamba 2fa" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 43 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 386913, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677fdd336157f9f05802d4a2", "name": "Mamba 2FA PhaaS", "description": "Mamba 2FA is an adversary-in-the-middle (AiTM) phishing kit sold as phishing-as-a-service (PhaaS) discovered by Sekoia's Threat Detection & Research (TDR) team in late May 2024. Mamba 2FA mimics Microsoft 365 login pages and uses HTML attachments to trick users into entering their credentials. Once captured, the attackers bypass two-factor authentication (2FA) and gain access to the victim's accounts.\n\nLike other similar PhaaS platforms, it uses proxy relays to conduct AiTM phishing attacks, allowing the threat actors to access one-time passcodes and authentication cookies. The AiTM mechanism uses the Socket.IO JavaScript library to communicate between the phishing page and relay servers, which then communicate with Microsoft's servers using the stolen data.\n\nCaptured credentials and cookies are transmitted to the attacker through a Telegram bot, enabling them to initiate a session immediately.\n\nMamba 2FA also features sandbox detection, redirecting users to Google 404 webpages when under analysis.", "modified": "2025-02-28T14:42:33.285000", "created": "2025-01-09T14:29:07.486000", "tags": [ "mamba", "microsoft", "entra id", "cve202450623", "cve202455956", "mamba2fa", "M365", "Microsoft 365", "O365", "Office 365", "phishing", "AiTM", "PhaaS", "sandbox detection", "redirect", "socket.io", "javascript", "iproyal", "proxy" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/", "https://darktrace.com/blog/a-snake-in-the-net-defending-against-aitm-phishing-threats-and-mamba-2fa", "https://www.kqlsearch.com/query/Detecting%20Mamba%202fa%20Phishing-as-a-service&cm20830iz01o2mc0py6yvsi2i", "https://www.obsidiansecurity.com/blog/mamba-2fa-phishing-kit-why-email-protection-is-not-enough/", "https://circleid.com/posts/a-dns-investigation-into-mamba-the-latest-aitm-phishing-player", "https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/" ], "public": 1, "adversary": "Mamba 2FA", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 57, "CVE": 2, "email": 3, "hostname": 1 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670cd1a1a1fdf2f442bac853", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem - ClaraSOC", "description": "", "modified": "2024-11-22T14:50:02.654000", "created": "2024-10-14T08:09:05.123000", "tags": [ "aitm", "evasion techniques", "phishing", "socket.io", "microsoft 365", "multi-factor authentication", "phaas", "mamba 2fa" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": "6708ae317f72c6ebf9fb154c", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Claranet-MDR", "id": "85008", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 43 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "557 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670649eda1f21876adbe7948", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem - Sekoia.io Blog", "description": "A look at the Mamba 2FA phishing kit, developed by security firm Sekoia, which was sold as a service by the end of June 2024 and used to target customers' Entra ID accounts.", "modified": "2024-11-08T09:02:06.888000", "created": "2024-10-09T09:16:29.809000", "tags": [ "mamba", "october", "html", "script", "microsoft", "entra id", "urls", "telegram", "november", "body", "june", "tycoon", "screen", "template", "green" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 43, "email": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67050cfaf4a383321bb37ad5", "name": "Mamba 2FA Phishing Kit Bypasses Security Provided by Multi-Factor Authentication", "description": "", "modified": "2024-11-07T10:01:55.660000", "created": "2024-10-08T10:44:10.610000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 43 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6708ae317f72c6ebf9fb154c", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem", "description": "", "modified": "2024-11-06T20:03:37.593000", "created": "2024-10-11T04:48:49.780000", "tags": [ "aitm", "evasion techniques", "phishing", "socket.io", "microsoft 365", "multi-factor authentication", "phaas", "mamba 2fa" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": "67043ed32987b7679a2bacd8", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 43 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://darktrace.com/blog/a-snake-in-the-net-defending-against-aitm-phishing-threats-and-mamba-2fa", "https://www.kqlsearch.com/query/Detecting%20Mamba%202fa%20Phishing-as-a-service&cm20830iz01o2mc0py6yvsi2i", "https://circleid.com/posts/a-dns-investigation-into-mamba-the-latest-aitm-phishing-player", "https://www.obsidiansecurity.com/blog/mamba-2fa-phishing-kit-why-email-protection-is-not-enough/", "https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/", "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Mamba 2fa" ], "industries": [] }, "other": { "adversary": [ "Mamba 2FA" ], "malware_families": [ "Mamba 2fa" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "67043ed32987b7679a2bacd8", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem", "description": "Mamba 2FA is a newly discovered adversary-in-the-middle (AiTM) phishing kit being sold as phishing-as-a-service (PhaaS). It features capabilities similar to other popular AiTM phishing services, including handling two-step verifications for non-phishing-resistant MFA methods, supporting various authentication systems, and dynamically reflecting organization branding. The kit uses a two-layer infrastructure consisting of link domains and relay servers, leveraging the Socket.IO protocol for communication. Mamba 2FA has been active since at least November 2023 and is commercialized through Telegram. The phishing pages mimic Microsoft 365 services and use sophisticated techniques to evade detection, including HTML attachments with obfuscated content.", "modified": "2024-11-06T20:03:37.593000", "created": "2024-10-07T20:04:35.808000", "tags": [ "aitm", "evasion techniques", "phishing", "socket.io", "microsoft 365", "multi-factor authentication", "phaas", "mamba 2fa" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 43 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 386913, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677fdd336157f9f05802d4a2", "name": "Mamba 2FA PhaaS", "description": "Mamba 2FA is an adversary-in-the-middle (AiTM) phishing kit sold as phishing-as-a-service (PhaaS) discovered by Sekoia's Threat Detection & Research (TDR) team in late May 2024. Mamba 2FA mimics Microsoft 365 login pages and uses HTML attachments to trick users into entering their credentials. Once captured, the attackers bypass two-factor authentication (2FA) and gain access to the victim's accounts.\n\nLike other similar PhaaS platforms, it uses proxy relays to conduct AiTM phishing attacks, allowing the threat actors to access one-time passcodes and authentication cookies. The AiTM mechanism uses the Socket.IO JavaScript library to communicate between the phishing page and relay servers, which then communicate with Microsoft's servers using the stolen data.\n\nCaptured credentials and cookies are transmitted to the attacker through a Telegram bot, enabling them to initiate a session immediately.\n\nMamba 2FA also features sandbox detection, redirecting users to Google 404 webpages when under analysis.", "modified": "2025-02-28T14:42:33.285000", "created": "2025-01-09T14:29:07.486000", "tags": [ "mamba", "microsoft", "entra id", "cve202450623", "cve202455956", "mamba2fa", "M365", "Microsoft 365", "O365", "Office 365", "phishing", "AiTM", "PhaaS", "sandbox detection", "redirect", "socket.io", "javascript", "iproyal", "proxy" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/", "https://darktrace.com/blog/a-snake-in-the-net-defending-against-aitm-phishing-threats-and-mamba-2fa", "https://www.kqlsearch.com/query/Detecting%20Mamba%202fa%20Phishing-as-a-service&cm20830iz01o2mc0py6yvsi2i", "https://www.obsidiansecurity.com/blog/mamba-2fa-phishing-kit-why-email-protection-is-not-enough/", "https://circleid.com/posts/a-dns-investigation-into-mamba-the-latest-aitm-phishing-player", "https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/" ], "public": 1, "adversary": "Mamba 2FA", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 57, "CVE": 2, "email": 3, "hostname": 1 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "459 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670cd1a1a1fdf2f442bac853", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem - ClaraSOC", "description": "", "modified": "2024-11-22T14:50:02.654000", "created": "2024-10-14T08:09:05.123000", "tags": [ "aitm", "evasion techniques", "phishing", "socket.io", "microsoft 365", "multi-factor authentication", "phaas", "mamba 2fa" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": "6708ae317f72c6ebf9fb154c", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Claranet-MDR", "id": "85008", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 43 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "557 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670649eda1f21876adbe7948", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem - Sekoia.io Blog", "description": "A look at the Mamba 2FA phishing kit, developed by security firm Sekoia, which was sold as a service by the end of June 2024 and used to target customers' Entra ID accounts.", "modified": "2024-11-08T09:02:06.888000", "created": "2024-10-09T09:16:29.809000", "tags": [ "mamba", "october", "html", "script", "microsoft", "entra id", "urls", "telegram", "november", "body", "june", "tycoon", "screen", "template", "green" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 43, "email": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67050cfaf4a383321bb37ad5", "name": "Mamba 2FA Phishing Kit Bypasses Security Provided by Multi-Factor Authentication", "description": "", "modified": "2024-11-07T10:01:55.660000", "created": "2024-10-08T10:44:10.610000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 43 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6708ae317f72c6ebf9fb154c", "name": "Mamba 2FA: A new contender in the AiTM phishing ecosystem", "description": "", "modified": "2024-11-06T20:03:37.593000", "created": "2024-10-11T04:48:49.780000", "tags": [ "aitm", "evasion techniques", "phishing", "socket.io", "microsoft 365", "multi-factor authentication", "phaas", "mamba 2fa" ], "references": [ "https://blog.sekoia.io/mamba-2fa-a-new-contender-in-the-aitm-phishing-ecosystem/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mamba 2FA", "display_name": "Mamba 2FA", "target": null } ], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" } ], "industries": [], "TLP": "white", "cloned_from": "67043ed32987b7679a2bacd8", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 43 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "572 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "fourthmanservice.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "fourthmanservice.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780415551.2233067 }