Darktrace describes how Phishing-as-a-Service (PhaaS) and Adversary-in-the-Middle (AiTM) kits — notably Mamba 2FA — are being used to intercept Microsoft 365 sessions and bypass multi-factor authentication. Darktrace / EMAIL and Autonomous Response capabilities detect unusual email rules, evasion techniques, and real-time interception to neutralize these phishing threats. #Mamba2FA #Darktrace
Keypoints
- PhaaS platforms lower the barrier to entry, enabling more attackers to deploy sophisticated AiTM phishing campaigns.
- AiTM phishing kits intercept and manipulate communications in real time to capture session cookies and credentials.
- Mamba 2FA specifically targets Microsoft 365 users and includes methods to bypass multi-factor authentication (MFA).
- Attack chains use convincing decoy pages and live communication channels to harvest sensitive data as users interact with services.
- Operators employ evasion techniques designed to avoid detection by conventional security tools.
- Darktrace / EMAIL and Autonomous Response have detected and neutralized Mamba 2FA attempts, including containment actions.
- Compromised accounts sometimes create unusual email rules to hide malicious activity and maintain persistence.
MITRE Techniques
- [T1566] Initial Access – Phishing campaigns delivered AiTM kits to compromise accounts. [‘Utilizes phishing campaigns to compromise accounts.’]
- [T1534] Credential Access – Attackers steal web session cookies and credentials during the interception process. [‘Steals web session cookies during phishing attacks.’]
- [T1136] Persistence – Outlook or email rules are manipulated to maintain access to compromised accounts. [‘Manipulates Outlook rules to maintain access to compromised accounts.’]
- [T1070] Defense Evasion – The phishing kit uses evasion techniques to avoid detection by security tools. [‘Employs evasion techniques to avoid detection by security tools.’]
- [T1087] Discovery – Threat actors monitor cloud service dashboards and account activity for unusual events. [‘Monitors cloud service dashboards for unusual activities.’]
- [T1583] Resource Development – Compromised accounts and infrastructure are prepared for further exploitation. [‘Compromises accounts for further exploitation.’]
- [T1068] Privilege Escalation – Attackers leverage compromised accounts to gain elevated access where possible. [‘Gains elevated access through compromised accounts.’]
Indicators of Compromise
- [IP Address] infrastructure used by the phishing kit – 2607:5500:3000:fea[::], 45.133.172[.]86, and 2 more IPs (e.g., 2607:5500:3000:1cab[:]2, 102.68.111[.]240)
Read more: https://darktrace.com/blog/a-snake-in-the-net-defending-against-aitm-phishing-threats-and-mamba-2fa