New 'Sneaky 2FA' Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass.
New 'Sneaky 2FA' Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass.
New 'Sneaky 2FA' Phishing Kit Targets Microsoft 365 Accounts with 2FA Code Bypass.
Information:
Phishing Kit is a toolkit specifically designed to create and carry out phishing attacks. These kits often come with ready-to-use tools and templates, allowing attackers to quickly and easily create fake websites that mimic legitimate ones. The goal is to deceive users into revealing sensitive information such as usernames, passwords, or financial data.
Incident :
Cybersecurity researchers have unveiled a new Adversary-in-the-Middle (AitM) phishing kit capable of stealing credentials and two-factor authentication (2FA) codes from Microsoft 365 accounts. Dubbed "Sneaky 2FA" by French cybersecurity firm Sekoia, it was detected in December 2024.
Picture 1 Details about the three tools sold by Sneaky Log
Incident :
This phishing kit is sold as Phishing-as-a-Service (PhaaS) by the cybercrime service "Sneaky Log," operating through a Telegram bot. Customers receive an obfuscated version of the source code to deploy independently.
Phishing campaigns utilizing this kit send payment receipt-related emails to entice recipients into opening bogus PDF documents containing QR codes. Scanning these codes redirects victims to Sneaky 2FA phishing pages. These pages are hosted on compromised infrastructure, primarily WordPress websites and other attacker-controlled domains.
The kit also incorporates anti-bot and anti-analysis measures, employing traffic filtering and Cloudflare Turnstile challenges to ensure only targeted victims reach the credential harvesting pages. It further conducts checks to detect and resist analysis attempts using web browser developer tools.
Recommendation:
- Before clicking on any link, double-check the URL to ensure it is legitimate and trustworthy.
- Avoid opening emails from unknown senders.
- Avoid connecting to public Wi-Fi networks
- Install a reliable antivirus program and keep it up-to-date.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References :
- https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html
- https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/
- https://www.scworld.com/news/sneaky-log-phishing-kits-slip-by-microsoft-365-accounts
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2023-26277 |
31/5/2024 |
21/11/2024 |
IBM Engineering Lifecycle Optimization - Publishing versions 7.0.2 and 7.0.3 |
Unnecessary privileges |
7.8 |
IBM QRadar WinCollect Agent 10.0 though 10.1.3 could allow a local user to execute commands on the system due to execution with unnecessary privileges. |
Update to version 10.1.4 or the latest version. |
|
| 2 |
CVE-2023-34048 |
25/10/2023 |
20/12/2024 |
vCenter Server version 6.5 U2/6.7 U2/8.0 U1 |
Out-of-bounds write |
9.8 |
vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution. |
Update to version 6.5 U3/6.7 U3o/8.0 U1d/8.0 U2 |
|
| 3 |
CVE-2024-53247 |
10/12/2024 |
2/1/2025 |
Splunk Enterprise |
Remote Code Execution |
8.8 |
In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, and versions below 3.4.261 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could perform a Remote Code Execution (RCE). |
Update to version versions 9.3.2, 9.2.4, and 9.1.7, or higher. |
|
| 4 |
CVE-2024-49147 |
12/12/2024 |
8/1/2025 |
Microsoft Update Catalog |
Code Injection |
9.3 |
Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver |
Update the latest version. |
|
| 5 |
CVE-2023-25731 |
2/6/2023 |
10/1/2025 |
Mozilla Firefox version 109 |
Denial of service |
8.8 |
Due to URL previews in the network panel of developer tools improperly storing URLs, query parameters could potentially be used to overwrite global objects in privileged code. |
Update to version 110 |
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Fake CrowdStrike job offer emails target devs with crypto miners |
07/01/2025 |
Phishing |
On January 7, 2025, CrowdStrike identified a phishing campaign impersonating its recruitment process to distribute malware disguised as a fake application. Attackers sent emails posing as CrowdStrike recruiters, thanking recipients for applying for a developer position. The emails directed them to download a supposed "employee CRM application" from a counterfeit CrowdStrike website. This application, once installed, performed environment checks to evade detection and then downloaded and installed the XMRig miner, utilizing the victim's system resources to mine Monero cryptocurrency. |
|
28 January 2025
Viewed 261 time
