Sneaky 2FA, a phishing tool marketed through Telegram, conducted an adversary-in-the-middle attack targeting Microsoft 365 users by utilizing fake login pages. The investigation revealed numerous indicators of compromise (IoCs), including domains and IP addresses linked to malicious campaigns. The analysis aims to aid in threat detection and provide critical insights to enhance cybersecurity measures. Affected: Microsoft 365 users
Keypoints :
- Sneaky 2FA uses phishing-as-a-service (PhaaS) to target Microsoft 365 users.
- The attack employs fake authentication pages with pre-filled email fields.
- Sekoia’s investigation identified 61 IoCs consisting of domains and IP addresses.
- The WhoisXML API found additional IoCs, including email-connected and malicious domains.
- The majority of identified domains were created in 2024 and registered by various registrars.
- Many of the domains had historical IP resolutions indicating connection to other web properties.
- Some email addresses linked to the IoCs were associated with previously weaponized campaigns.
MITRE Techniques :
- Phishing (T1566) – Utilize fake Microsoft authentication pages for credential harvesting.
- Adversary-in-the-Middle (AitM) (T1557) – Conduct attacks between the user and legitimate service to intercept sensitive data.
Indicator of Compromise :
- [Domain] usfightingsystems[.]com
- [Domain] advanceplastics-ke[.]com
- [Domain] drop-project[.]top
- [Domain] intertrustsgroup[.]com
- [Domain] organicchoicehome[.]com
Full Story: https://circleid.com/posts/sneaking-a-peek-into-the-inner-dns-workings-of-sneaky-2fa