Full Report
Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that's capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024. The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting
Analysis Summary
# Tool/Technique: Sneaky 2FA (also known as WikiKit)
## Overview
Sneaky 2FA is a newly observed Adversary-in-the-Middle (AitM) phishing kit designed to steal Microsoft 365 credentials, including session cookies via two-factor authentication (2FA) codes. It is being offered as a Phishing-as-a-Service (PhaaS) product called 'Sneaky Log' through a Telegram bot, costing customers approximately $200 per month. Another intelligence source referred to it as WikiKit based on its redirection behavior.
## Technical Details
- Type: Attack Tool (Phishing Kit / PhaaS)
- Platform: Primarily targets Microsoft 365 users, infrastructure appears to involve compromised WordPress websites.
- Capabilities: Adversary-in-the-Middle (AitM) credential and 2FA harvesting, anti-analysis/anti-bot measures, licensing enforcement.
- First Seen: Observed in the wild since at least October 2024, detected by Sekoia in December 2024.
## MITRE ATT&CK Mapping
*Note: As this is a phishing kit, the primary mapping is related to initial access and credential theft.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (via payment receipt emails containing QR codes)
- T1566.002 - Spearphishing Link (Redirection via QR code)
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (Implied, as session cookies/tokens are likely harvested post-2FA bypass)
## Functionality
### Core Capabilities
* **AitM Phishing:** Intercepts authentication traffic to capture both username/password and subsequent 2FA tokens/session cookies.
* **Delivery Mechanism:** Campaigns utilize payment receipt-related emails containing a QR code. Scanning this code redirects victims to the malicious phishing pages.
* **Visual Deception:** Uses blurred screenshots of legitimate Microsoft authentication interfaces as backgrounds to trick users into believing they are authenticating to access the blurred content.
* **Automatic Field Population:** Automatically presets the victim's email address on the fake login page to enhance perceived legitimacy.
* **Licensing:** Requires a valid license key validated against a central server to function, enforced monthly ($200/month subscription).
### Advanced Features
* **Anti-Analysis/Anti-Bot Measures:** Employs traffic filtering and Cloudflare Turnstile challenges to block automated visitors.
* **Developer Tool Detection:** Runs checks specifically designed to detect and resist analysis attempts using web browser developer tools.
* **IP Filtering/Redirection:** Directs traffic originating from data centers, cloud providers, bots, proxies, or VPNs to a Microsoft-related Wikipedia page, utilizing the `href[.]li` redirection service (a behavior that led to the name WikiKit).
* **User-Agent String Manipulation:** Uses a sequence of hardcoded, specific User-Agent strings across different authentication flow steps, which researchers noted as rare in legitimate scenarios, offering a high-fidelity detection vector.
## Indicators of Compromise
- File Hashes: [Not specified in the context]
- File Names: [Not specified in the context, relies on deployed pages/infrastructure]
- Registry Keys: [Not specified in the context]
- Network Indicators:
- Redirection service: `href[.]li`
- C2 checks rely on communication with the central licensing server.
- Behavioral Indicators:
- Displaying blurred Microsoft login pages.
- Specific, sequential transition between different User-Agent strings during the authentication attempt.
- Immediate redirection to a Microsoft Wikipedia page if the visitor's IP traces back to a known hosting/proxy range.
## Associated Threat Actors
* **General Cybercrime Service:** Sold via the 'Sneaky Log' bot on Telegram.
* **Potential Link:** Source code similarities suggest it may be based on, or related to, the **W3LL Store** syndicate, which previously operated the W3LL Panel.
* **Migrating Users:** Some domains were previously associated with **Evilginx2** and **Greatness** kits, indicating users migrating to Sneaky 2FA.
## Detection Methods
- Signature-based detection: [Not specified, though specific file hashes may emerge]
- Behavioral detection: Monitoring for the unusual, sequenced User-Agent transitions characteristic of the kit.
- YARA rules: [Not specified]
- Network Detection: Flagging traffic utilizing the `href[.]li` redirection service for suspicious content.
## Mitigation Strategies
- **User Training:** Emphasizing vigilance against urgent emails (e.g., payment receipts) leading to external links, especially those involving QR codes for authentication.
- **MFA Implementation:** While AitM bypasses standard push/text MFA, organizations should use phishing-resistant MFA methods where possible.
- **Infrastructure Hardening:** Regularly auditing web servers (like WordPress installations) for compromise that could host phishing pages.
- **Network Monitoring:** Monitoring for connections to known PhaaS communication points or unusual redirection chains.
## Related Tools/Techniques
* **W3LL Panel** (Possible progenitor/related threat group)
* **Evilginx2** (AitM phishing kit, users migrating away from it)
* **Greatness** (AitM phishing kit)