In early February 2025, the eSentire Threat Response Unit detected a sophisticated phishing attack associated with Sneaky2FA, an Adversary-in-the-Middle Phishing-as-a-Service kit designed to bypass two-factor authentication (MFA). This threat report delves into the details of this attack, its implications, and provides recommendations for mitigating such threats.

The attack began with a spam email containing a link to a phishing PDF hosted on OneDrive. Unsuspecting users who clicked the link were redirected to a fake Office 365 login page. This phishing page was protected by Cloudflare Turnstile, a service designed to prevent automated scanners from accessing it, adding an extra layer of deception.

Sneaky2FA is particularly dangerous because it captures not only user credentials but also 2FA codes. By doing so, the attackers gain session cookies that allow them to access accounts without triggering any MFA prompts. This method effectively bypasses the security measures put in place by multi-factor authentication systems.

The phishing operators were observed using stolen cookies to add additional MFA methods to compromised accounts. This tactic allows them to maintain persistent access even if the initial credentials are changed. The use of VPN and proxy services further obscures their activities, making it difficult for security teams to trace the origin of the attacks.

The sophistication of Sneaky2FA enables a range of damaging follow-on activities. Once inside an organization’s network, attackers can exfiltrate sensitive emails, launch spam campaigns, and conduct Business Email Compromise (BEC) attacks. These activities can lead to significant financial losses and reputational damage for the targeted organizations.

To mitigate the risks posed by Sneaky2FA and similar threats, organizations should implement a multi-layered security approach. Here are some recommendations:

1. User Education: Conduct regular training sessions to educate employees about phishing attacks and the importance of verifying the authenticity of emails and links before clicking on them. Emphasize the need for caution when dealing with unexpected or suspicious emails.

2. Email Filtering: Implement advanced email filtering solutions that can detect and block phishing attempts. These solutions should be regularly updated to keep pace with evolving threats.

3. Multi-Factor Authentication (MFA): While Sneaky2FA demonstrates that MFA is not foolproof, it remains an essential layer of security. Organizations should enforce strong MFA policies and consider using additional authentication methods such as biometrics or hardware tokens.

4. Monitoring and Detection: Deploy advanced threat detection tools that can identify unusual login activities and potential phishing attempts in real-time. Regularly review logs for any signs of unauthorized access.

5. Incident Response Plan: Develop and regularly update an incident response plan to quickly detect, respond to, and mitigate the impact of phishing attacks. Ensure that all employees are aware of their roles and responsibilities during a security incident.

6. Regular Audits: Conduct regular security audits to identify vulnerabilities in your systems and processes. Address any identified weaknesses promptly to minimize the risk of successful attacks.

7. Third-Party Risk Management: Evaluate the security practices of third-party vendors and service providers. Ensure that they adhere to stringent security standards and regularly review their compliance with these standards.

The detection of Sneaky2FA highlights the evolving nature of cyber threats and the need for organizations to stay vigilant. By implementing robust security measures and fostering a culture of cybersecurity awareness, organizations can better protect themselves against sophisticated phishing attacks and other malicious activities.

For additional information on this threat report, please refer to the following external references:

• https://www.esentire.com/blog/your-mfa-is-no-match-for-sneaky2fa
• https://otx.alienvault.com/pulse/67c148f5d64d299fa4a97670

This report underscores the importance of staying informed about emerging threats and taking proactive steps to enhance cybersecurity defenses. By understanding the tactics used by attackers like Sneaky2FA, organizations can better prepare themselves to defend against similar threats in the future.