Mamba 2FA: A new contender in the AiTM phishing ecosystem

Sekoia TDR details Mamba 2FA, a commercially offered AiTM phishing kit sold via Telegram that uses HTML attachments and Socket.IO websockets to capture credentials, cookies and MFA responses for Microsoft/Entra accounts; the report includes the kit's architecture (link domains, relay servers, proxies), templates, operational timelines, sample IOCs (domains and IPs), detection guidance and evidence of active use since November 2023.