{ "type": "URL", "indicator": "https://sneakylog.store/api/key", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://sneakylog.store/api/key", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4028151797, "indicator": "https://sneakylog.store/api/key", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68122b6f06cbb5f973985fa8", "name": "Sneaky 2FA AiTM PhaaS", "description": "Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.", "modified": "2025-05-30T13:03:20.512000", "created": "2025-04-30T13:53:51.809000", "tags": [ "Sneaky2FA", "AiTM", "PhaaS", "Sneaky Log", "Telegram", "ReCaptcha", "M365", "Microsoft", "Microsoft 365", "Turnstile", "websocket", "obfuscated-js", "wikikit", "javascript", "Cloudflare", "AWS", "autograb" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365" ], "public": 1, "adversary": "Sneaky 2FA", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 167, "hostname": 12, "URL": 12, "FileHash-SHA256": 2 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "678c077fa0e21615b2fc3087", "name": "Sneaky 2FA Phishing Kit Targeting Microsoft 365 Accounts", "description": "Cybersecurity researchers have uncovered a new Adversary-in-the-Middle (AitM) phishing kit named Sneaky 2FA, designed to steal Microsoft 365 credentials and two-factor authentication (2FA) codes. French cybersecurity firm Sekoia identified the kit, active since October 2024, and discovered nearly 100 domains hosting related phishing pages.\n\nThe phishing kit includes references to W3LL Store, a known phishing syndicate behind the W3LL Panel, raising suspicions that Sneaky 2FA is based on similar technology. Some domains linked to Sneaky 2FA were previously tied to older AitM kits like Evilginx2 and Greatness, indicating a shift among cybercriminals to the newer service.\n\nCampaigns leveraging Sneaky 2FA use QR codes embedded in fake payment receipt emails to lure victims. These codes redirect users to phishing pages to harvest credentials and bypass 2FA protections.", "modified": "2025-02-17T19:00:21.114000", "created": "2025-01-18T19:56:47.092000", "tags": [ "sneaky", "sneaky log", "microsoft", "december", "telegram", "aitm", "w3ll ov6", "sekoia", "html code", "khtml", "example", "win64", "june", "mamba", "antibot", "verify", "virustotal", "sharepoint", "tycoon", "bitcoin", "tron", "ov6", "plugx" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OV6", "display_name": "OV6", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 2, "domain": 89, "hostname": 9 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Sneaky 2FA" ], "malware_families": [ "Ov6", "Plugx" ], "industries": [], "unique_indicators": 222 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sneakylog.store", "whois": "http://whois.domaintools.com/sneakylog.store", "domain": "sneakylog.store", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68122b6f06cbb5f973985fa8", "name": "Sneaky 2FA AiTM PhaaS", "description": "Sneaky 2FA is an emerging Adversary-in-The-Middle phishing kit distributed through the Phishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication. Sneaky 2FA is sold, advertised and operated on Telegram by the Sneaky Log Phishing-as-a-Service. As of December 2024, Sneaky 2FA has seen moderate adoption by threat actors, as evidenced by approximately one hundred domain names hosting Sneaky 2FA phishing pages and some ongoing campaigns distributing them.", "modified": "2025-05-30T13:03:20.512000", "created": "2025-04-30T13:53:51.809000", "tags": [ "Sneaky2FA", "AiTM", "PhaaS", "Sneaky Log", "Telegram", "ReCaptcha", "M365", "Microsoft", "Microsoft 365", "Turnstile", "websocket", "obfuscated-js", "wikikit", "javascript", "Cloudflare", "AWS", "autograb" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/", "https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa", "https://github.com/TheRavenFile/Daily-Hunt/blob/main/Sneaky%202FA%20Phishing%20Kit", "https://hackread.com/telegram-sneaky-2fa-phishing-kit-microsoft-365-accounts/", "https://phishingtackle.com/articles/sneaky-2fa-bypass-new-phishing-kits-targeting-microsoft-365/", "https://www.beyondidentity.com/resource/sneaky-2fa-dangerous-new-threat-targeting-microsoft-365" ], "public": 1, "adversary": "Sneaky 2FA", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1534", "name": "Internal Spearphishing", "display_name": "T1534 - Internal Spearphishing" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "v0od0o.exe", "id": "273579", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 167, "hostname": 12, "URL": 12, "FileHash-SHA256": 2 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "678c077fa0e21615b2fc3087", "name": "Sneaky 2FA Phishing Kit Targeting Microsoft 365 Accounts", "description": "Cybersecurity researchers have uncovered a new Adversary-in-the-Middle (AitM) phishing kit named Sneaky 2FA, designed to steal Microsoft 365 credentials and two-factor authentication (2FA) codes. French cybersecurity firm Sekoia identified the kit, active since October 2024, and discovered nearly 100 domains hosting related phishing pages.\n\nThe phishing kit includes references to W3LL Store, a known phishing syndicate behind the W3LL Panel, raising suspicions that Sneaky 2FA is based on similar technology. Some domains linked to Sneaky 2FA were previously tied to older AitM kits like Evilginx2 and Greatness, indicating a shift among cybercriminals to the newer service.\n\nCampaigns leveraging Sneaky 2FA use QR codes embedded in fake payment receipt emails to lure victims. These codes redirect users to phishing pages to harvest credentials and bypass 2FA protections.", "modified": "2025-02-17T19:00:21.114000", "created": "2025-01-18T19:56:47.092000", "tags": [ "sneaky", "sneaky log", "microsoft", "december", "telegram", "aitm", "w3ll ov6", "sekoia", "html code", "khtml", "example", "win64", "june", "mamba", "antibot", "verify", "virustotal", "sharepoint", "tycoon", "bitcoin", "tron", "ov6", "plugx" ], "references": [ "https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "OV6", "display_name": "OV6", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-SHA256": 2, "domain": 89, "hostname": 9 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://sneakylog.store/api/key", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://sneakylog.store/api/key", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780210901.2419548 }