Analyzing the Latest Sneaky2FA Phishing Page

MITRE Techniques

• [T1566 ] Phishing – Use of reverse-proxy/AITM and BITB pages prompting users to “Sign in with Microsoft” to harvest credentials (‘The user is prompted to “Sign in with Microsoft” as part of the phishing lure.’)
• [T1557 ] Adversary-in-the-Middle – Reverse-proxy AITM architecture used to intercept authentication and session tokens (‘reverse-proxy Attacker-in-the-Middle site’)
• [T1078 ] Valid Accounts – Stolen Microsoft credentials and active sessions enabling account takeover (‘Completing authentication will result in the user’s Microsoft credentials and active session being stolen by the attacker, facilitating account takeover.’)
• [T1027 ] Obfuscated Files or Information – Heavy HTML/JavaScript obfuscation and encoded UI elements to evade static detection and fingerprinting (‘The HTML and JavaScript of Sneaky2FA pages are heavily obfuscated to evade static detection and pattern-matching’)
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Anti-analysis techniques to detect or disable browser developer tools and block page analysis (‘using anti-analysis techniques to detect or disable browser developer tools to block attempts to analyse the page’)
• [T1090 ] Proxy – Use of embedded browser pop-ups/iframes and reverse proxies to mask the real phishing server and display fake login URLs (‘BITB phishing pages replicate the design of a pop-up window with an iframe pointing to a malicious server.’)
• [T1583 ] Acquire Infrastructure – Use of PhaaS kits and for-hire phishing infrastructure (Sneaky2FA, Raccoon0365, etc.) to obtain capabilities and deploy campaigns (‘PhaaS kits make up the vast majority of phishing sites … Raccoon0365 is another PhaaS service’)