The Sneaky2FA phishing-as-a-service (PhaaS) kit has added browser-in-the-browser (BitB) capabilities that are used in attacks to steal Microsoft credentials and active sessions.
Sneaky2FA is a widely used PhaaS platform right now, alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts.
The kit was known for its SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is proxied to the legitimate service through a phishing page that relays valid session tokens to the attackers.
According to a report from Push Security, Sneaky2FA has now added a BitB pop-up that mimics a legitimate Microsoft login window. To add to the deception, the fake sign-in page adjusts dynamically to the victim’s OS and browser.
An attacker stealing credentials and active session tokens can authenticate to the victim’s accoun,t even when the two-factor authentication (2FA) protection is active.
BitB is a phishing technique devised by researcher mr.d0x in 2022 and has since been adopted by threat actors for real attacks targeting Facebook and Steam accounts, among other services.
During the attack, users landing on an attacker-controlled webpage see a fake browser pop-up window with a login form.
The template for the pop-up is an iframe that mimics the authentication form of legitimate services and can be customized with a specific URL and window title.
Because the fake window displays a URL bar with the targeted service’s official domain address, it looks like a trustworthy OAuth pop-up.
In the case of Sneaky2FA, the victim opens a phishing link on ‘previewdoc[.]com’ and goes through a Cloudflare Turnstile bot check before they’re prompted to sign in with Microsoft to view a document.
... continue reading