Mamba 2FA Cybercrime Kit Targets Microsoft 365 Users
A stealthy new underground offering uses sophisticated adversary-in-the-middle (AitM) techniques to convincingly serve up "Microsoft" login pages of various kinds, with dynamic enterprise branding.
October 9, 2024
A phishing-as-a-service (PhaaS) kit dubbed Mamba 2FA is targeting Microsoft 365 users using a variety of convincing adversary-in-the-middle (AitM) disguises.
According to the Sekoia Threat Detection & Research (TDR) team, the kit, which goes for $250 per month on underground cybercrime forums, can present a number of faux login pages to unsuspecting users. It can imitate OneDrive, a SharePoint Online secure link, or a generic Microsoft sign-in page; or it can show the user a purported voicemail retrieval link that redirects to a sign-in page after a click.
In all cases, it dynamically reflects enterprise targets' branding, including logos and background image.
According to Sekoia, Mamba 2FA slithers past two-factor authentication (2FA) methods that use one-time codes and app notifications; supports Entra ID, AD FS, third-party SSO providers, and consumer Microsoft accounts; and harvests credentials and cookies that are instantly sent to the attacker via a Telegram bot.
"Mamba 2FA has been advertised on Telegram since at least March," according to a Sekoia analysis this week. "However, according to data from public URL and file analysis sandboxes, the kit has been used in phishing campaigns since November 2023. The operator of the service had a long-standing presence on ICQ until this messaging platform shut down in June 2024, and this may be where Mamba 2FA was primarily sold before shifting to Telegram."
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024