Your MFA Is No Match for Sneaky2FA

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In early February 2025, the eSentire Threat Response Unit (TRU) detected a user accessing a known phishing site associated with Sneaky2FA. Sneaky2FA is an AitM (Adversary-in-the-Middle) PhaaS (Phishing-as-a-Service) kit designed to bypass 2FA (Two-Factor Authentication) and provide the operator with access to the victim’s Office 365 account via intercepted session cookies.

Sneaky2FA is advertised for sale by the user “Vanyaon” on hacking forums and Telegram, with pricing starting at $150 per month for the first 10 users and $200 per month thereafter.

TRU has observed phishing operators making use of stolen session cookies behind VPN and proxy-associated hosting providers, ultimately leading to follow-on activities like modification/creation of MFA methods for maintaining persistent access to stolen accounts.

The figure below displays the Telegram advertisement for Sneaky2FA and describes the features/payment methods for the phishing kit.

The specific attack scenario in this case involves the user opening a spam email containing a link to a phishing PDF stored in OneDrive. Upon clicking the link, the user is redirected to OneDrive and shown the phishing PDF.

Upon the user clicking the hyperlink in the PDF the user is redirected to an Office 365 themed Sneaky2FA associated web page at the URL “hxxps://secure.toitoiiusa[.]com/”.

The figure below displays the phishing PDF.

Much like other phishing kits, Sneaky2FA features Cloudflare Turnstile/Google ReCaptcha as security measures to prevent scanners and bots from accessing the phishing page, effectively making the process more difficult for threat intelligence researchers to identify Sneaky2FA associated infrastructure in the wild.

Note, TRU has observed other variants of Sneaky2FA that make use of the blurred background images described in Sekoia’s blog here.

The following figure contains a truncated portion of the HTML contents of Turnstile pages. The title element contains HTML encoded entities and can be used to identify Sneaky2FA in-the-wild.

Decoding the HTML entities in the title element can be accomplished via the following CyberChef recipe.

Next, the phishing html is acquired through HTTP GET to the /index endpoint. This retrieves the phishing form via HTTP GET to the /verify endpoint.

The user then enters their email and clicks the Next button, sending an HTTP POST request to the /validate endpoint containing the user’s email to the backend.

After the user enters their password and clicks the Sign in button, another HTTP POST request is sent to the /validate endpoint containing the user's email and password. The email is parsed, and an invalid password response JSON is returned if the email is not business associated.

The phishing kit operators are likely doing this to disrupt security researchers using non-business associated email addresses like hotmail.com.

If the email is associated with a business and the account lacks 2FA, the phishing kit redirects to a legitimate Office 365 error page.

Otherwise, the response from the /validate endpoint determines the 2FA method. In this case, an OTP from an authenticator app.

Next, the 2FA method is sent to the backend via HTTP POST to the /validate endpoint, e.g. verify_code

Next, the 2FA code is captured from the victim and sent via HTTP POST to the /validate endpoint. Once the 2FA code is received in the backend, a session cookie is acquired for the phishing kit operator(s) to use for follow-on activities such as: adding MFA methods, email harvesting, spam, and phishing.

TRU observed phishing operator(s) using stolen session cookies to add MFA methods, hiding behind VPN/Proxy associated hosting providers such as: Digital Ocean, Private Internet Access, Bandito Networks, Clouvider Limited, and Amazon.

The following table displays the phishing kit operators’ external IP addresses, user agents, and autonomous system labels (ASLs) identified in Microsoft Entra logs.

What did we do?

• Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf.
• We communicated what happened with the customer and helped them with remediation efforts.

What can you learn from this TRU Positive?

• Sneaky2FA is a sophisticated PhaaS kit that allows phishing operators targeting Office 365 to effectively bypass 2FA and capture a session cookie for full access.
• This allows damaging follow-on activities such as email exfiltration, spam, BEC type attacks, internal phishing, and email forwarding/redirection.

Recommendations from the Threat Response Unit (TRU):

• Phishing and Security Awareness Training (PSAT) programs should be conducted to make users aware of these types of attacks.
• Implement Device Compliance policies to limit access to only compliant devices; this tactic disrupts Adversary-in-the-Middle phishing.
• Review best practices provided by Microsoft.
• Regularly conduct proactive threat hunting for sign-ins from unusual autonomous system labels (ASLs)/user agents/applications, modifications to MFA methods, auto-forwarding of emails to external accounts via forwarding rules, extraction of sensitive emails/contacts, access to single-sign-on (SSO) applications, email redirection, and audit log deletion.
• Limit permissions for creating or modifying existing mailbox rules to trusted users/administrators.
• Disable automatic forwarding to external domains.

Indicators of Compromise

• Indicators of Compromise can be accessed here.

References

• https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/