Sneaky 2FA Kit Exposes Vulnerabilities in 2FA Security

Cybersecurity researchers from Sekoia have discovered a new Adversary-in-the-Middle (AiTM) phishing kit named “Sneaky 2FA,” targeting Microsoft 365 accounts.

First discovered in December last year, this phishing kit has been active since at least October 2024 and is distributed as a Phishing-as-a-Service (PhaaS) through a Telegram bot called “Sneaky Log.” Subscribers receive an obfuscated version of the source code, allowing them to deploy the phishing kit independently.

Bypassing 2FA

This scourge has several key features:

• Autograb Functionality: The phishing URLs include the victim’s email address as a parameter, which is then prefilled into the fake Microsoft authentication page to make it seem credible.
• Anti-Bot and Anti-Analysis Measures: It then uses traffic filtering and Cloudflare Turnstile challenges to make sure that only legitimate users are directed to the credential harvesting pages. Moreover, it carries out checks to detect and resist any analysis attempts using web browser developer tools.
• Session Hijacking: By wedging itself between the user and the legitimate service, the kit captures session cookies once the user has completed the 2FA process, which enables malefactors to bypass 2FA and get access to user accounts.

Readily Available for Purchase

Elad Luz, Head of Research at Oasis Security, says this threat is particularly deceptive for several reasons. “The links in the phishing emails are crafted to pass the victim’s email address to the login page, enabling it to ‘autofill’ the email field. This mimics the behavior of legitimate websites, where autofill is typically associated with accounts users have previously logged into.”

In addition, he says the attackers obfuscated screenshots of Microsoft webpages to mimic a convincing login background, making it seem as though users will access legitimate content once successfully logged in. “They also implemented common methods on the web page to distinguish between humans and bots. If the visitor is detected as a bot, the page either displays harmless content or redirects to a legitimate website like Wikipedia. This tactic helps evade automated detection by security systems.”

Luz says Sneaky 2FA was developed by one group of malicious actors and sold to others, emphasizing the collaborative nature of many attacks we see today—in fact, these types of tools are often the result of collaborative efforts by different actors working together and trading resources. “The fact that such kits are readily available for purchase is highly concerning.”

Distribution and Operations

The phishing kit costs a measly $200 per month and operates through a fully featured Telegram bot. Customers get access to a licensed, obfuscated version of the source code and can deploy it independently.

The phishing pages are hosted on compromised infrastructure, usually WordPress websites and other domains controlled by the kit’s authors.

The researchers said that analysis of the source code revealed references to a phishing syndicate named W3LL Store, previously exposed for distributing a phishing kit called W3LL Panel. Similarities in the AiTM relay implementation suggest that Sneaky 2FA could be based on the W3LL Panel.

Entities are advised to monitor for any anomalous User-Agent transitions that happen during authentication processes, as Sneaky 2FA uses a range of hardcoded User-Agent strings depending on the authentication step.

Protecting Against Sneaky 2FA

Stephen Kowski, Field CTO at SlashNext, says the kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, and is particularly dangerous for Microsoft 365 environments. “Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats.”

Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, says firms can mitigate this risk by implementing Privileged Access Management (PAM) to restrict access and contain potential damage from compromised accounts. Pairing this with robust password management ensures that credentials are strong, unique, and securely stored, reducing exposure to phishing campaigns. “Additionally, a password manager will prevent users from entering credentials into spoofed websites because the tool will only auto-fill credentials on the authentic webpage. Enforcing layered security measures, such as advanced threat detection and employee training, further minimize organizational risk.”

To mitigate the risks associated with sophisticated phishing kits, Luz advises implementing advanced threat detection solutions that monitor sign-in logs and deploy effective tools to fingerprint attackers and detect anomalies. Education is also key, and users are advised to exercise extreme caution with emails and verify the legitimacy of websites before entering their credentials.