Security
Headlines
HeadlinesLatestCVEs

Headline

Mamba 2FA Cybercrime Kit Targets Microsoft 365 Users

A stealthy new underground offering uses sophisticated adversary-in-the-middle (AitM) techniques to convincingly serve up “Microsoft” login pages of various kinds, with dynamic enterprise branding.

DARKReading
#microsoft#js#auth

Source: Matthijs Kuijpers via Alamy Stock Photo

A phishing-as-a-service (PhaaS) kit dubbed Mamba 2FA is targeting Microsoft 365 users using a variety of convincing adversary-in-the-middle (AitM) disguises.

According to the Sekoia Threat Detection & Research (TDR) team, the kit, which goes for $250 per month on underground cybercrime forums, can present a number of faux login pages to unsuspecting users. It can imitate OneDrive, a SharePoint Online secure link, or a generic Microsoft sign-in page; or it can show the user a purported voicemail retrieval link that redirects to a sign-in page after a click.

In all cases, it dynamically reflects enterprise targets’ branding, including logos and background image.

According to Sekoia, Mamba 2FA slithers past two-factor authentication (2FA) methods that use one-time codes and app notifications; supports Entra ID, AD FS, third-party SSO providers, and consumer Microsoft accounts; and harvests credentials and cookies that are instantly sent to the attacker via a Telegram bot.

“Mamba 2FA has been advertised on Telegram since at least March,” according to a Sekoia analysis this week. “However, according to data from public URL and file analysis sandboxes, the kit has been used in phishing campaigns since November 2023. The operator of the service had a long-standing presence on ICQ until this messaging platform shut down in June 2024, and this may be where Mamba 2FA was primarily sold before shifting to Telegram.”

About the Author

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel