Threat Research

Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate – CYFIRMA

Cyfirma
Mamba Phishing-as-a-Service Kit: How Modern adversary-in-the-middle (AiTM) Attacks Operate – CYFIRMA

CYFIRMA assesses Mamba 2FA is a scalable adversary-in-the-middle phishing framework that automates realistic Microsoft authentication flows to capture credentials, bypass MFA, and relay sessions with minimal user interaction. The report highlights encoded URL parameters, Microsoft-style password prompts, client-side password capture, rapid redirection to legitimate sites, and recommends hardened identity controls such as FIDO2/WebAuthn and continuous monitoring to mitigate risk. #Mamba2FA #Microsoft365

Keypoints

  • Mamba 2FA is a phishing-as-a-service AiTM framework designed for realism, automation, and scale, prioritizing operational efficiency over bespoke development.
  • Phishing URLs use an encoded query parameter (e.g., /s/?) to pass identity context and hinder static detection.
  • Victim flows omit email entry and immediately present a Microsoft-style password prompt with organization branding, implying pre-established identity context.
  • Client-side JavaScript captures and relays passwords rapidly, then redirects victims to legitimate sites to reduce suspicion while backend session activity continues.
  • Delivery is primarily email-based (malicious links, HTML bodies, or attached message files) and often uses short-lived or redirecting infrastructure to evade filtering.
  • Mamba 2FA reflects a broader PhaaS ecosystem trend toward feature parity, evasive enhancements, and standardized AiTM workflows targeting cloud identity platforms like Microsoft 365.
  • Mitigations recommended include stronger MFA (hardware/FIDO2), conditional access, advanced email/URL inspection, browser isolation, EDR monitoring, and ongoing threat intelligence.

MITRE Techniques

  • [T1566.002 ] Phishing: Link – Delivered via email links impersonating legitimate services to drive victims to the phishing URL (‘Email messages posing as Microsoft security alerts, document notifications, or account activity warnings’).
  • [T1566.001 ] Phishing: Spear phishing Attachment – Use of attachments or HTML message files to preserve branding and deliver the phishing content (‘HTML email bodies or attached message files to preserve branding and formatting’).
  • [T1056.003 ] Input Capture: Web Portal Capture – In-browser capture of credentials via a Microsoft-style password prompt monitored by client-side scripts (‘The password field is monitored by client-side JavaScript’).
  • [T1110.004 ] Brute Force: Credential Stuffing – Credential-based account compromise methods are noted alongside phishing; defenders should monitor for rapid failed attempts (‘Monitor for suspicious login patterns, such as rapid repeated failed attempts’).
  • [T1528 ] Steal Application Access Token – Session- and token-aware techniques used to preserve and relay identity context in real time (‘integrating authentication flow emulation, session handling, and real-time backend communication’).
  • [T1027 ] Obfuscated Files or Information – Use of encoded, non-human-readable URL parameters to conceal operational parameters (‘The encoded parameter contains a long, non-human-readable string’).
  • [T1127 ] Trusted Developer Utilities Proxy Execution – Abuse of legitimate tooling and evasive enhancements to reduce detection and execution friction (‘evasive enhancements’).
  • [T1105 ] Ingress Tool Transfer – Server-delivered HTML and scripts initiate the phishing flow by transferring attacker-controlled content to the victim browser (‘The server responds with HTML content, initiating the phishing flow’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Use of HTTPS and web protocols for credential capture and backend communication (‘HTTPS over standard web port’).
  • [T1132 ] Data Encoding – Encoding of parameters (e.g., base64) to pass state and hinder signature-based detection (‘/s/?’).
  • [T1056 ] Input Capture – General browser-based input capture for automated credential relay (‘Client-side JavaScript…preparing the entered credentials for transmission immediately upon submission’).
  • [T1119 ] Automated Collection – Automation of identity context handling and credential relay to scale campaigns and reduce operator interaction (‘prioritizes automation and speed, reducing user interaction’).
  • [T1499.004 ] Endpoint Denial of Service: Application or System Exploitation – Listed impact technique in the framework table indicating potential for application-level disruption (‘Endpoint Denial of Service: Application or System Exploitation’).

Indicators of Compromise

  • [URL path ] phishing page structure – example: /s/? (encoded query parameter used to pass identity context).
  • [Short-lived/rotating domains ] delivery infrastructure – examples: short-lived URLs and rapidly rotated domains used to evade reputation filtering.
  • [Email lure content ] phishing lure subjects/body – examples: “Microsoft security alert” and “document notification” used to induce clicks; messages may include HTML bodies or attached message files.
  • [Redirect chains ] infrastructure evasion – example: benign-looking initial links that forward victims through redirect chains to final phishing page.
  • [Network endpoints ] post-compromise communication – examples: unknown HTTPS endpoints and WebSocket channels observed as backend communication targets for session relay.

Read more: https://www.cyfirma.com/research/mamba-phishing-as-a-service-kit-how-modern-adversary-in-the-middle-aitm-attacks-operate/