A new phishing-as-a-service (PhaaS) platform called Mamba 2FA has been observed targeting Microsoft 365 accounts in AiTM attacks using well-crafted login pages.
In addition, Mamba 2FA offers threat actors an adversary-in-the-middle (AiTM) mechanism to capture the victim’s authentication tokens and bypass multi-factor authentication (MFA) protection on their accounts.
Mamba 2FA is currently sold to cybercriminals for $250/month, a competitive price that places it among the most attractive and fastest growing phishing platforms in the space.
Discovery and evolution
Mamba 2FA was first documented by Any.Run analysts in late June 2024, but Sekoia reports that it has been tracking activity linked to the phishing platform since May 2024.
Further evidence shows that Mamba 2FA has supported phishing campaigns since November 2023, when the kit was sold on ICQ and later on Telegram.
Following Any.Run’s report on a campaign supported by Mamba 2FA, the operators of the phishing kit made several changes to their infrastructure and methods to increase the stealth and longevity of the phishing campaigns.
For example, from the month of October, Mamba 2FA introduced proxy servers sourced from IPRoyal, a commercial provider, to mask the IP addresses of relay servers on authentication logs.
Previously, relay servers were connected directly to Microsoft Entra ID servers, revealing the IP addresses and making blocking easier.
Link domains used in phishing URLs are now very short-lived and are typically rotated weekly to avoid blocking by security solutions.
Another change was to improve HTML attachments used in phishing campaigns with benign filler content to hide a small snippet of JavaScript that triggers the attack, making it harder for security tools to detect.
“Solicit” Microsoft 365 users
Mamba 2FA is specifically designed to target users of Microsoft 365 services, including business and consumer accounts.
Like other similar PhaaS platforms, it uses proxy relays to perform AiTM phishing attacks, allowing threat actors to gain access to one-time passwords and authentication cookies.
The AiTM mechanism uses the Socket.IO JavaScript library to establish communication between the phishing site and the backend relay servers, which in turn communicate with Microsoft’s servers using the stolen data.
Source: Sequoia
Mamba 2FA offers phishing templates for various Microsoft 365 services, including OneDrive, SharePoint Online, generic Microsoft login pages, and fake voicemail messages that redirect to a Microsoft login page.
For corporate accounts, the phishing pages dynamically assume the targeted organization’s custom login branding, including logos and background images, making the attempt appear more authentic.
Source: Sequoia
Collected credentials and authentication cookies are passed to the attacker through a Telegram bot, allowing them to start a session immediately.
Mamba 2FA also has sandbox detection that redirects users to Google 404 web pages when it infers that it is under analysis.
Overall, the Mamba 2FA platform is another threat to organizations that allows low-skilled actors to carry out highly effective phishing attacks.
To protect against PhaaS operations using AiTM tactics, consider using hardware security keys, certificate-based authentication, geoblocking, IP whitelisting, device whitelisting, and token lifetime shortening.