Update, Jan. 19, 2025: This story, originally published Jan. 18, now includes additional mitigation advice from cybersecurity experts regarding the latest Microsoft Sneaky 2FA bypass attack.
There is no escaping the phishing threat, as WhatsApp and PayPal users have been warned. Gmail and Outlook users don’t escape the attack warnings, and the addition of two-factor authentication bypass hacks just muddies the security waters. Now, French security researchers have exposed another new adversary-in-the-middle attack that targets Microsoft 365 accounts, stealing credentials and bypassing 2FA protections in the process. Here’s what you need to know.
The Sneaky 2FA Attack Warning
A cybercrime group known as Sneaky Log has been selling a 2FA-bypassing phishing-as-a-service kit called Sneaky 2FA since late last year. Researchers from the French cybersecurity company Sekoia have now published a new report warning how the kit, operating by way of a bot service via Telegram, targets Microsoft 365 account holders.
“Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently,” Sekoia researchers Quentin Bourgue and Grégoire Clermont said, “Currently, Sneaky 2FA’s phishing pages are hosted on compromised infrastructure, frequently involving WordPress websites and other domains controlled by the attacker.” Costing $200 per month, the Sneaky Log sales team offers reductions that bring the cost down depending upon the length of the subscription.
Like so many of these kits, take a look at Rockstar 2FA, example, Sneaky 2FA harvests Microsoft 365 session cookies in order to bypass the 2FA process during subsequent attacks so that authentication appears, indeed is, legitimate as far as the session is concerned.
Elad Luz, head of research at Oasis Security, said that the threat actors had “blurred out screenshots of Microsoft webpages to create a convincing login background,” which made it “appear as though users will access legitimate content after successfully logging in.”
Meanwhile, Stephen Kowski, field chief technology officer at SlashNext Email Security+, said “this kit’s sneaky aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare Turnstile challenges, and its clever redirection of security tools to Wikipedia pages” adding that it is “particularly dangerous for Microsoft 365 environments.”
I have reached out to Microsoft for a statement.
Mitigating 2FA Bypass Attacks
Intercepting both credentials and 2FA codes in real time means that attackers are able to bypass what Patrick Tiquet, vice President of security and architecture at Keeper Security, calls “one of the most relied-upon layers of account protection.” The sneakiness, Tiquet warned, and its sophistication lies in its anti-analysis features such as traffic filtering and checks to avoid detection. As well as “convincing pre-populated login forms, which enhance its success rate,” not to mention that hosting the phishing pages on compromised infrastructure adds another layer of deception, according to Tiquet. Luckily, there are mitigations that organizations can consider, and the first, Tiquet said, is “implementing Privileged Access Management to restrict access and contain potential damage from compromised accounts.” By pairing this with robust password management, Tiquet continued, you can ensure that credentials are strong, unique and securely stored, reducing exposure to phishing campaigns. “Additionally, a password manager will prevent users from entering credentials into spoofed websites because the tool will only auto-fill credentials on the authentic webpage,” Tiquet concluded.
Although this 2FA bypass attack targets Microsoft 365 users, this kind of threat is not just aimed at Microsoft and can impact users of any accounts that are perceived to be of high value to the threat actors involved. The common factor, as alluded to already, in most such attacks is the phishing aspect, so that’s where the mitigation methodology must sit: this fascinating article explores methods of mitigating phishing attacks.
