Title: Unmasking the Deceptive 2FA Bypass Attack: Protect Yourself Now

Title: Unmasking the Deceptive 2FA Bypass Attack: Protect Yourself Now

Title: Be Wary of the Sneaky 2FA Attacks Targeting Microsoft 365 Users

Update, Jan. 21, 2025: This story now includes expert insights on mitigating 2FA attack implications.

The cyber threat landscape keeps evolving, and now, pay attention to the latest warning for WhatsApp, PayPal, Gmail, and Outlook users. After the rumblings about 2FA bypass hacks, French security researchers have exposed another threat – an adversary-in-the-middle attack targeting Microsoft 365 accounts. This attack steals credentials and bypasses 2FA protections in a sneaky way.

The Stealthy 2FA Attack Warning

A cybercrime group named Sneaky Log has sold a 2FA-bypassing phishing-as-a-service kit called Sneaky 2FA since last year. Researchers from the French cybersecurity company Sekoia have published a new report, warning about this kit that operates via a bot service on Telegram.

"Customers receive access to an obfuscated version of the source code and deploy it independently,"Sekoia researchers Quentin Bourgue and Grégoire Clermont said, "Sneaky 2FA's phishing pages are hosted on compromised infrastructure, often involving WordPress websites and other controlled domains."

The Sneaky Log team offers this service for $200 a month, with reduced prices based on subscription length. The kit gathers Microsoft 365 session cookies to bypass 2FA during subsequent attacks, making the authentication appear legitimate.

Threat actors even blur out screenshots of Microsoft webpages to create a convincing login background, making the user think they're accessing legitimate content after logging in. They employ common methods to distinguish between humans and bots, leading to harmless content for bot users or redirecting them to legitimate websites like Wikipedia to evade automated detection systems.

A Similar FlowerStorm Attack Targets Microsoft Users

Apart from Sneaky Log, another 2FA bypass attack has been targeting Microsoft users. Dubbed FlowerStorm, it's a phishing-as-a-service exploit kit that uses HTTP POST requests to steal login credentials and 2FA tokens via adversary-controlled backend servers.

The attacker methodology resembles Rockstar 2FA, and researchers believe the two could be connected in terms of development. While Rockstar 2FA phishing pages ceased operation following a technical error, FlowerStorm continues to surge.

The attack utilizes Telegram for delivering phishing campaigns with a focus on North American and European organizations, with the United States being the primary attack location. While targeting victims, it re-routes them to credential-stealing sites using unique URLs.

Mitigating 2FA Bypass Attacks: A Security Expert Perspective

The threat is real, and organizations must take action to protect themselves and their users. According to Patrick Tiquet, Vice President of Security and Architecture at Keeper Security, organizations can do the following:

1. Implement Privileged Access Management (PAM) to restrict access and contain potential damage from compromised accounts.
2. Pair PAM with robust password management to ensure credentials are strong, unique, and securely stored.
3. Password managers can help prevent users from entering credentials into spoofed websites, because the tool will only auto-fill on the genuine webpage.

However, not all security experts agree with Tiquet's approach. Ev Kontsevoy, CEO at Teleport, suggests that password management techniques have reached their limits when safeguarding infrastructure. Instead, he proposes eliminating static and standing credentials altogether and utilizing cryptographic identity verification based on immutable physical attributes, such as biometrics.

To mitigate phishing attacks, organizations need a multi-layered defense strategy that includes:

1. Phishing-Resistant Authentication: Implement methods like FIDO2/WebAuthn, which are more secure than traditional OTPs and push notifications.
2. Real-Time URL Scanning: Perform real-time URL scanning at click time to detect phishing domains and bypass Cloudflare Turnstile protection.
3. Proactive Domain Monitoring: Regularly track newly registered phishing domains to prevent them from becoming active threats.
4. Anomaly Detection: Utilize AI-based anomaly detection tools to identify unusual login locations, IP addresses, and user behavior patterns.
5. Rate Limiting and Account Locking: Implement rate limiting on OTP submissions and lock accounts after a certain number of failed attempts.
6. Session Cookie Protection: Ensure proper validation of session cookies to prevent man-in-the-middle attacks and session hijacking.
7. Password Reset Protocols: Secondary authentication remains crucial even when 2FA is enabled. Regularly audit password reset protocols for security gaps.
8. Employee Education: Educate employees to avoid interacting with suspicious emails and verify the authenticity of emails and attachments.
9. Automated Threat Response: Utilize automated threat response capabilities to intercept and neutralize sophisticated phishing attacks.
10. Continuous Monitoring and Threat Intelligence Sharing: Regularly monitor and share threat intelligence to stay updated on the latest phishing kits and tactics.

By prioritizing these strategies, organizations can significantly reduce the risk of 2FA bypass attacks targeting Microsoft 365 accounts and other high-value accounts. Stay vigilant, be aware, and take immediate actions to mitigate these stealthy threats.

1. To safeguard against 2FA bypass attacks, Microsoft 365 users should consider implementing Privileged Access Management (PAM).
2. The Sneaky 2FA phishing-as-a-service kit, used by the Sneaky Log group, can be mitigated by pairing PAM with robust password management.
3. In response to the 2FA hack targeting Microsoft users, some experts suggest eliminating static credentials and using cryptographic identity verification based on biometrics.
4. To bypass FlowerStorm's 2FA bypass attack, organizations can implement phishing-resistant authentication methods like FIDO2/WebAuthn.
5. Sekoia's researchers warn against the use of the Sneaky 2FA kit, which bypasses 2FA protections in Microsoft 365 accounts by gathering session cookies.

Read also: