Title: Fresh Alert for Microsoft Users: Outsmarting 2FA with Deceptive Tactics
There's no escaping the looming threat of phishing, with users of platforms like WhatsApp, PayPal, Gmail, and Outlook receiving warnings. Even additions of two-factor authentication (2FA) haven't deterred hackers, who now have a new trick up their sleeve. Recent research by French security experts has highlighted an adversary-in-the-middle attack targeting Microsoft 365 accounts, stealing credentials and bypassing 2FA protections.
The Dangerous Sneaky 2FA Attack
A cybercrime group named Sneaky Log has been selling a 2FA-bypassing phishing-as-a-service kit, Sneaky 2FA, since the end of 2021. Security firm Sekoia has detailed how this kit, operated via a Telegram bot service, targets Microsoft 365 account holders.
The service offers licensed obfuscated versions of the source code, which customers can deploy independently. Costing $200 a month, Sneaky Log offers reduced prices for longer subscriptions. Just like other phishing kits, Sneaky 2FA harvests Microsoft 365 session cookies to bypass 2FA during subsequent attacks, appearing as legitimate authentication processes.
Elad Luz, head of research at Oasis Security, pointed out that attackers have used “blurred out screenshots of Microsoft webpages to create a convincing login background,” which makes it appear as if users will access legitimate content after a successful login.
Stephen Kowski, FCTO at SlashNext Email Security+, further explained that this kit has sophisticated features, including its ability to auto-populate victim email addresses, evade detection through Cloudflare Turnstile challenges, and direct security tools to Wikipedia pages.
As of this writing, Microsoft has not provided a statement.
Defending Against 2FA Bypass Attacks
Even though this 2FA attack focuses on Microsoft 365 users, the threat isn't exclusive to Microsoft. Phishing is commonly employed in these attacks, so the defense strategy needs to focus on combating phishing threats. This fascinating article explores ways to mitigate phishing attacks.
Enrichment Data:
The Sneaky 2FA phishing kit employs several advanced techniques to evade detection:
- Autograb Functionality: By incorporating the victim’s email address in phishing URLs, the fake Microsoft login page appears more credible. Additionally, the email address is auto-filled into the form, increasing the chance of successful phishing attempts.[1][4]
- Session Hijacking: The kit captures session cookies once the user completes the 2FA process. These cookies are then used to gain unauthorized access to the user's account, bypassing 2FA protection.[1][4]
- Anti-Bot and Anti-Analysis Measures: The kit uses traffic filtering and Cloudflare Turnstile challenges to ensure only legitimate users are directed to the phishing pages. Additionally, the kit carries out checks to resist any analysis attempts using web browser developer tools, making it harder to identify phishing activity.[1][4]
- Phishing-as-a-Service (PhaaS) Distribution: The Sneaky Log Telegram bot provides a cost-effective way for cybercriminals to deploy the phishing kit independently, making it accessible to a wide range of bad actors.[1][4][5]
By employing these techniques, the Sneaky 2FA phishing kit effectively bypasses 2FA mechanisms in Microsoft 365 accounts, enabling attackers to steal credentials and gain unauthorized access.
The cybercrime group Sneaky Log has been selling a service called Sneaky 2FA, which allows for the bypass of 2FA protections on Microsoft 365 accounts. This service is operated via a Telegram bot service and targets Microsoft 365 account holders.
According to a report by security firm Sekoia, the Sneaky 2FA service offers licensed obfuscated versions of the source code, which customers can deploy independently for $200 a month. This kit harvests Microsoft 365 session cookies to bypass 2FA during subsequent attacks, appearing as legitimate authentication processes.
Elad Luz, head of research at Oasis Security, noted that attackers use blurred-out screenshots of Microsoft webpages to create a convincing login background, making it appear as if users will access legitimate content after a successful login.
Stephen Kowski, FCTO at SlashNext Email Security+, further explained that this kit has sophisticated features, including the ability to auto-populate victim email addresses and direct security tools to Wikipedia pages, making it harder to identify phishing activity.
Despite the threats posed by this 2FA bypass attack, Microsoft has not yet provided a statement on the matter. This attack highlights the importance of defending against phishing threats to protect against 2FA bypass attacks.