Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service
ID: b0174d0f-6b04-5aba-a19d-00d1801a775b
STIX ID: report--b0174d0f-6b04-5aba-a19d-00d1801a775b
Feed Name: Sekoia.io Blog
Date Published: 2025-01-16
Date Updated: 2026-04-29
Author: Quentin Bourgue, Grégoire Clermont and Sekoia TDR
**Sekoia TDR identified and analyzed Sneaky 2FA, an AiTM phishing kit sold via a Telegram-based Phishing-as-a-Service (Sneaky Log) that targets Microsoft 365 accounts to harvest credentials and session cookies for MFA bypass; the report documents technical behaviors (URL patterns, Cloudflare Turnstile use, obfuscation, anti-analysis), attacker infrastructure, IoCs (~100 domains, IPs, and servers), monetization/payment patterns, and detection opportunities including a Sigma correlation for impossible device shifts.**
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.