A new phishing-as-a-service (PhaaS) platform named “Sneaky 2FA” has been identified, targeting Microsoft 365 accounts by bypassing two-factor authentication (2FA). Active since at least October 2024, this platform is sold under the name “Sneaky Log” and operates through a Telegram bot, providing customers with obfuscated source code for independent deployment. The phishing campaigns typically involve sending emails with payment receipt themes, containing QR codes that direct recipients to counterfeit Microsoft authentication pages designed to harvest credentials and 2FA codes. The kit employs anti-analysis measures, such as traffic filtering and Cloudflare Turnstile challenges, to ensure only genuine targets reach the credential-harvesting pages. Notably, it checks with a central server to verify active subscriptions, indicating a licensing model similar to the previously exposed W3LL Panel phishing kit.
https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html
