Sneaky Log Phishing Scheme Targets Two-Factor Security

Security researchers at French firm Sekoia detected a new phishing-as-a-service kit targeting Microsoft 365 accounts in December 2024, the company announced on Jan. 16.

The kit, called Sneaky 2FA, was distributed through Telegram by the threat actor service Sneaky Log. It is associated with about 100 domains and has been active since at least October 2024.

Sneaky 2FA is an adversary-in-the-middle attack, meaning it intercepts information sent between two devices: in this case, a device with Microsoft 365 and a phishing server. Sneaky 2FA falls under the class of business email compromise attacks.

“The cybercriminal ecosystem associated with AiTM phishing and Business Email Compromise (BEC) attacks is continuously evolving, with threat actors opportunistically migrating from one PhaaS platform to another, supposedly based on the quality of the phishing service and the competitive price,” Sekoia analysts Quentin Bourgue and Grégoire Clermont wrote in the firm’s analysis of the attack.

How does the Sneaky 2FA phishing-as-a-service kit work?

Sneaky Log sells access to the phishing kit through a chatbot on Telegram. Once the customer pays, Sneaky Log provides access to the Sneaky 2FA source code. Sneaky Log uses compromised WordPress websites and other domains to host the pages that trigger the phishing kit.

The scam involves showing a fake Microsoft authentication page to the potential victim. Sneaky 2FA then shows a Cloudflare Turnstile page with a “Verify you are human” prompt box.

If the victim provides their account information, their email and password will go to the phishing server. Sneaky Log’s server detects the available 2FA method(s) for the Microsoft 365 account and prompts the user to follow them.

The user will be redirected to a real Office365 URL, but the phishing server can now access the user’s account through the Microsoft 365 API.

If the visitor to the phishing site is a bot, cloud provider, proxy, VPN, originated from a data center, or uses an IP address “associated with known abuse,” the page redirects to a Microsoft-related Wikipedia entry. Security research team TRAC Labs detected a similar technique in December 2024 in a phishing scheme they named WikiKit.

Sneaky Log’s kit shares some source code with another phishing kit found by risk platform company Group-1B in September 2023, Sekoia noted. That kit was associated with a threat actor called W3LL.

Sneaky Log sells Sneaky 2FA for $200 monthly, paid in cryptocurrency. Sekoia said this is slightly cheaper than kits Sneaky Log’s fellow criminal competitors offer.

SEE: Multifactor authentication and spam filters can reduce phishing, but employees who understand social engineering techniques are the first line of defense.

How to detect and mitigate Sneaky 2FA

The activities associated with Sneaky 2FA can be detected in a user’s Microsoft 365 audit log, said Sekoia.

In particular, security researchers looking into a phishing attempt might see different hardcoded User-Agent strings for the HTTP requests in each step of the authentication flow. This would be unlikely if the user authentication steps were benign.

Sekoia published a Sigma detection rule that “looks for a Login:login event with a Safari on iOS User-Agent, and a Login:resume event with an Edge on Windows User-Agent, both having the same correlation ID, and happening within 10 minutes.”

Security professionals can remind employees to avoid interacting with suspicious emails, including those that sound urgent or frightening. Sekoia discovered Sneaky 2FA within a malicious email attachment titled “Final Lien Waiver.pdf,” containing a QR code. The URL embedded in the QR code led to a compromised page.

Other recent phishing attempts target Microsoft

Microsoft’s ubiquity makes it a rich hunting ground for threat actors, whether they run attacks directly or sell phishing-as-a-service tools.

In 2023, Microsoft’s Threat Intelligence team disclosed a phishing kit targeting services like Office or Outlook. Later in the same year, Proofpoint pulled the mask off ExilProxy, a phishing kit that could bypass two-factor authentication.

In October 2024, Check Point warned users of Microsoft products against sophisticated mimics trying to steal account information.