A new Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts has the ability to intercept both user credentials and two-factor authentication (2FA), ultimately bypassing anti-phishing defenses such as email and secure web gateways.
In a Jan. 16 blog post, Sekoia researchers said these phishing pages have been circulating since at least October 2024 and have been sold as Phishing-as-a-Service (PhaaS) kits by the cybercrime service “Sneaky Log,” which operates through a fully-featured bot on Telegram.
Right now, the researchers said Sneaky Log’s 2FA’s phishing pages are hosted on compromised infrastructure, frequently involving WordPress websites, and other domains controlled by the attacker.
Elad Luz, head of research at Oasis Secuirty, explained that this phishing technique is particularly “sneaky” for several reasons:
- Specially crafted: The links in the phishing emails are crafted to pass the victim’s email address to the login page, enabling it to “autofill” the email field. Luz said this mimics the behavior of legitimate websites, where autofill is typically associated with accounts users have previously logged into.
- Obfuscation: Threat actors blurred out screenshots of Microsoft webpages to create a convincing login background, making it appear as though users will access legitimate content after successfully logging in.
- Convincing presentation: The threat actors also implemented common methods on the web page to distinguish between humans and bots. If the visitor is detected as a bot, the page either displays harmless content or redirects to a legitimate website like Wikipedia. This tactic helps evade automated detection by security systems.
“This phishing kit was developed by one group of threat actors and sold to others, highlighting the collaborative nature of many cyberattacks,” said Luz. “These malicious tools are often the result of layered efforts by different actors, working together and trading resources. The fact that such kits are readily available for purchase is highly concerning.”
Or Eshed, chief executive officer at LayerX Security, added that typically, email and secure web gateways use a combination of three techniques: reputation analysis of the domain, comparison of the page code “signature” to known phishing kits, and web crawlers that trawl through the web looking for vulnerabilities.
In this case, Eshed said the exploit “piggybacked” on top of legitimate websites with reputable URLs, used adaptable code to throw off comparisons to known phishing kits, and used Cloudflare’s free firewall service with CAPTCHA and AI-based anti-bot measures to block web security crawlers.
“This made the attack effectively invisible to traditional network security tools,” said Eshed.
Eshed said security teams looking to improve their protection against such novel phishing attacks should consider a combination of approaches:
First, adopt phishing protections that go beyond website reputation and known signatures, and instead perform direct inspection of the page code to identify suspicious behaviors. Second, deploy web and anti-phishing protections at the endpoint level, where they are not thwarted by session encryption and do not incur a performance impact like network solutions. Finally, leverage the power of AI for advanced page analysis, for deeper contextual and intent analysis.
Stephen Kowsi, Field CTO at SlashNext Email Security, said this kit’s “sneaky” aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare, and its clever redirection of security tools to Wikipedia pages.
“The kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, making it particularly dangerous for Microsoft 365 environments,” said Kowski. “Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection, and detection of newly-registered phishing domains before they become active threats.”
