Full Report
The phishing-as-a-service kit from Sneaky Log creates fake authentication pages to farm account information, including two-factor security codes.
Analysis Summary
# Tool/Technique: Sneaky 2FA (Phishing-as-a-Service Kit)
## Overview
Sneaky 2FA is a phishing-as-a-service (PhaaS) kit distributed via Telegram by the threat actor service "Sneaky Log." Its primary purpose is to create fake authentication pages, often spoofing Microsoft login screens, to harvest user credentials, including sensitive two-factor authentication (2FA) codes, from Microsoft 365 accounts.
## Technical Details
- Type: Attack Tool/Framework (Phishing Kit)
- Platform: Targets Microsoft 365 users (Web-based authentication)
- Capabilities: Sets up Adversary-in-the-Middle (AiTM) phishing infrastructure to capture session data and 2FA tokens in real-time.
- First Seen: Active since at least October 2024; analyzed and reported in December 2024/January 2025.
## MITRE ATT&CK Mapping
The core mechanism of this kit aligns with bypassing authentication mechanisms:
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- *Note: While it collects credentials, its direct method is session hijacking via AiTM.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Likely via lures in Telegram)
## Functionality
### Core Capabilities
- **Adversary-in-the-Middle (AiTM):** Intercepts the communication flow between the victim's device and the legitimate Microsoft 365 service during the login process.
- **2FA Code Harvesting:** Specifically designed to capture the one-time password or security code entered by the user, effectively bypassing traditional 2FA protections.
- **Phishing Site Deployment:** The kit automates the creation and potential hosting of convincing login pages.
### Advanced Features
- **PhaaS Model:** Sold or offered as a service on platforms like Telegram, allowing less sophisticated actors to deploy sophisticated AiTM attacks.
- **Association with BEC:** Identified as falling under the class of Business Email Compromise (BEC) attacks, indicating its use in targeted organizational compromise.
## Indicators of Compromise
*(Note: The provided article context is high-level and does not list specific IOCs like hashes or domains, only mentions general association.)*
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not applicable/Not provided in context]
- Network Indicators: Associated with approximately 100 domains used for hosting the phishing infrastructure (specific domains defanged).
- Behavioral Indicators: Real-time interception of authentication flows for M365 sessions.
## Associated Threat Actors
- **Sneaky Log:** The threat actor service distributing the Sneaky 2FA kit via Telegram.
- Opportunistic threat actors migrating between PhaaS platforms.
## Detection Methods
*(Note: The article mentions detection by Sekoia, but does not detail their specific internal methods, only general categories.)*
- Signature-based detection: [Requires identification of specific deployed phishing domain signatures]
- Behavioral detection: Detecting proxying or interception of Microsoft 365 login flows (AiTM detection).
- YARA rules: [Not provided in context]
## Mitigation Strategies
- **Prevention measures:** Utilizing phishing-resistant MFA methods (e.g., FIDO2 security keys) which are immune to AiTM phishing by nature of cryptographic challenges instead of shared secrets/codes.
- **Hardening recommendations:** Continuous user training on identifying sophisticated spoofing and the risks associated with embedding session tokens via proxy requests. Reviewing organizational log monitoring for anomalous M365 login session acquisitions.
## Related Tools/Techniques
- AiTM Phishing Frameworks (General category)
- Other Phishing-as-a-Service platforms used in the BEC ecosystem.