French cybersecurity experts at Sekoia discovered an innovative phishing-as-a-service kit aimed at Microsoft 365 accounts in December 2024, as reported by the company on January 16.
Named Deceptive 2FA, the kit was disseminated via Telegram by the malevolent service Sneaky Log. It is linked to approximately 100 domains and has been operational since at least October 2024.
Deceptive 2FA operates as a middleman attack, intercepting data exchanged between two devices: a device with Microsoft 365 and a phishing server. This falls within the category of business email compromise attacks.
“The cybercriminal network associated with AiTM phishing and Business Email Compromise (BEC) attacks is continuously evolving, with threat actors shifting opportunistically from one PhaaS platform to another, purportedly based on the efficacy of the phishing service and the competitive pricing,” specified Quentin Bourgue and Grégoire Clermont, analysts at Sekoia, in the company’s assessment of the incident.
How does the Deceptive 2FA phishing-as-a-service kit operate?
Sneaky Log markets the access to the phishing kit through a chatbot on Telegram. Upon payment by the customer, Sneaky Log grants access to the Deceptive 2FA source code. The pages triggering the phishing kit are hosted on compromised WordPress sites and other domains by Sneaky Log.
The scam includes the display of a counterfeit Microsoft authentication page to the potential victim. Subsequently, Deceptive 2FA presents a Cloudflare Turnstile page containing a “Confirm you are human” dialog.
If the victim inputs their account details, the email and password get transmitted to the phishing server. Sneaky Log’s server identifies the accessible 2FA method(s) for the Microsoft 365 account and instructs the user accordingly.
The user is then redirected to a legitimate Office365 URL, enabling the phishing server to infiltrate the user’s account via the Microsoft 365 API.
In cases where the visitor to the phishing site is a bot, cloud provider, proxy, VPN, originates from a data center, or utilizes an IP address “linked with known abuse,” the page redirects to a Wikipedia page related to Microsoft. A similar tactic was identified in December 2024 by the security research team at TRAC Labs in a phishing attack dubbed WikiKit.
Sneaky Log’s kit shares portions of its source code with another phishing kit uncovered by risk platform company Group-1B in September 2023, as highlighted by Sekoia. This kit was linked with a threat actor known as W3LL.
Sneaky Log offers Deceptive 2FA at a monthly rate of $200, to be remitted in cryptocurrency. Sekoia mentioned this price is marginally lower compared to what Sneaky Log’s criminal counterparts are offering.
SEE: Multifactor authentication and spam filters can minimize phishing threats, yet employees who grasp social engineering tactics constitute the initial defense line.
How to identify and alleviate Deceptive 2FA
Sekoia stated that the operations tied to Deceptive 2FA can be traced in a user’s Microsoft 365 audit log.
Specifically, cybersecurity researchers scrutinizing a phishing endeavor might detect distinct hardcoded User-Agent sequences for the HTTP requests at each phase of the authentication process. This would seem improbable in benign user authentication steps.
Sekoia released a Sigma detection rule that “identifies a Login:login event with a Safari on iOS User-Agent, and a Login:resume event with an Edge on Windows User-Agent, both sharing the same correlation ID, and occurring within 10 minutes.”
Security professionals can advise employees against engaging with dubious emails, particularly those appearing urgent or alarming. Sekoia found Deceptive 2FA within a malicious email attachment labeled “Final Lien Waiver.pdf,” containing a QR code. The URL within the QR code directed to a compromised page.
Other recent phishing schemes targeting Microsoft
Microsoft’s widespread use makes it a lucrative prospect for threat actors, whether they conduct direct attacks or market phishing-as-a-service solutions.
In 2023, Microsoft’s Threat Intelligence unit exposed a phishing kit targeting services like Office or Outlook. Subsequently, Proofpoint unveiled the true identity of ExilProxy in the same year, a phishing kit capable of circumventing two-factor authentication.
In October 2024, Check Point cautioned Microsoft product users about advanced impostors attempting to pilfer account details.
About Author
