Full Report
Security firm Barracuda said it has detected more than a million phishing-as-a-service (PhaaS) attacks in 2025
Analysis Summary
# Tool/Technique: Sneaky 2FA
## Overview
Sneaky 2FA is a phishing-as-a-service (PhaaS) toolkit sold by the cybercrime group Sneaky Log. It is known for its ability to bypass two-factor authentication (2FA) measures, specifically targeting user credentials and access for Microsoft 365 accounts through Adversary-in-the-Middle (AiTM) attacks.
## Technical Details
- Type: Phishing Toolkit/Service (PhaaS)
- Platform: Implied for initial email delivery, likely targeting desktop/mobile users accessing M365 services.
- Capabilities: Bypasses 2FA, performs AiTM attacks, leverages Telegram for operation via a bot.
- First Seen: Active and emerging in early 2025 (based on the article context).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Likely initial delivery vector via email)
- T1558 - Steal or Forge Authentication Credentials
- T1558.003 - Multi-Factor Authentication Interception (Primary function via AiTM)
## Functionality
### Core Capabilities
- Phishing campaign delivery via email links.
- Adversary-in-the-Middle (AiTM) operations to intercept credentials and session cookies.
- Evasion of Two-Factor Authentication (2FA) mechanisms.
### Advanced Features
- Operates as a Telegram bot, controlled or managed through the messaging service.
- Sold as a service (PhaaS) by the Sneaky Log cybercrime outfit, indicating modular and accessible infrastructure for various threat actors.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article]
- Registry Keys: [Not provided in the article]
- Network Indicators: [The attack relies on a phishing infrastructure; C2 details are not specified beyond the Telegram bot integration, which hosts the command/control or management interface.]
- Behavioral Indicators: Successful session hijacking following 2FA prompt interaction; observed in AiTM traffic patterns.
## Associated Threat Actors
- Sneaky Log (The vendor/seller of the toolkit)
- Various threat actors utilizing the PhaaS service.
## Detection Methods
- Signature-based detection: [Not detailed for Sneaky 2FA specifically, but traditional email gateway filtering applies to the initial lure.]
- Behavioral detection: Monitoring for post-login activity that indicates session or token theft, particularly involving unusual intermediate connections during the login flow (AiTM TTPs).
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- Prevention measures: Implementing phishing awareness training focused on AiTM-style attacks. Using phishing-resistant forms of MFA (e.g., security keys like FIDO2/WebAuthn) that are not susceptible to session interception.
- Hardening recommendations: Organizations utilizing Microsoft 365 should investigate logs for suspicious session tokens or logins originating from anomalous sequences indicative of an AiTM proxying stage.
## Related Tools/Techniques
- Tycoon 2FA (Another prominent PhaaS platform)
- EvilProxy (Another known PhaaS platform)
- General AiTM frameworks (e.g., Modlishka, Evilginx2)