Researchers have identified a new adversary-in-the-middle (AitM) phishing kit called Sneaky 2FA, which targets Microsoft 365 accounts to steal credentials and two-factor authentication (2FA) codes. The kit, discovered by French cybersecurity company Sekoia in December 2024, has been observed in numerous phishing campaigns. The kit is sold as phishing-as-a-service (PhaaS) through the Telegram bot “Sneaky Log,” which provides customers with access to an obfuscated version of the source code to deploy independently. As of January 2025, nearly 100 domains have been found hosting phishing pages related to Sneaky 2FA.
The phishing campaigns primarily use payment receipt emails to lure victims into opening malicious PDF attachments. These documents contain QR codes that redirect users to Sneaky 2FA’s phishing pages, which mimic legitimate Microsoft login interfaces. The fake authentication pages are hosted on compromised infrastructure, with WordPress sites and other attacker-controlled domains being common targets. The pages are designed to automatically fill in the victim’s email address to enhance the page’s legitimacy and trick the victim into submitting their credentials.
Sneaky 2FA also employs various anti-bot and anti-analysis techniques to ensure only targeted victims are directed to the phishing pages. These measures include traffic filtering, Cloudflare Turnstile challenges, and checks to detect attempts to analyze the phishing kit using developer tools. If the victim’s IP address originates from a cloud provider or a proxy service, they are redirected to a Microsoft-related Wikipedia page instead, a tactic that has led some researchers to nickname it WikiKit. Additionally, the kit checks in with a central server to confirm that the customer’s subscription is active, requiring a valid license key for operation.
Some of the domains used by Sneaky 2FA were previously associated with other AitM phishing kits, such as Evilginx2 and Greatness, indicating that some cybercriminals have migrated to this new service. While the kit shares some code with the W3LL Panel phishing kit, it is considered a distinct entity with new functionality. Researchers note that the kit’s behavior, including using different User-Agent strings for various authentication steps, provides a reliable method for detecting it.
