June 25, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Adobe Products Vulnerabilities
October 10, 2024
Multiple Juniper Networks Junos OS and Junos OS Evolved Vulnerabilities
October 10, 2024
Multiple Adobe Products Vulnerabilities
October 10, 2024
Multiple Juniper Networks Junos OS and Junos OS Evolved Vulnerabilities
October 10, 2024
Severity
High
Analysis Summary
Well-crafted login pages are being used by a newly emerging phishing-as-a-service (PhaaS) platform called Mamba 2FA to target Microsoft 365 accounts in AiTM attacks.
Furthermore, Mamba 2FA gives threat actors a way to circumvent multi-factor authentication (MFA) safeguards on victim accounts by capturing their authentication tokens through an adversary-in-the-middle (AiTM) technique. Cybercriminals can purchase Mamba 2FA for $250 per month, which is a competitive pricing that places it among the most enticing and rapidly expanding phishing platforms available.
Analysts initially recorded Mamba 2FA in late June 2024, but according to researchers, they have been monitoring behavior connected to the phishing platform since May 2024. Further proof reveals that Mamba 2FA has been aiding phishing schemes since November 2023, when the kit was first offered for sale on ICQ and then on Telegram.
In response to the revelation of a campaign supported by Mamba 2FA, the phishing kit operators altered their infrastructure and techniques in a number of ways to improve the campaigns' secrecy and durability. For instance, Mamba 2FA started using proxy servers in October that were obtained from the for-profit company IPRoyal in order to conceal the IP addresses of relay servers on authentication logs.
Relay servers used to be directly connected to Microsoft Entra ID servers, which exposed the IP addresses and simplified block generation. In order to avoid being blocked by security solutions, link domains used in phishing URLs are now usually cycled every week and have a very limited lifespan. Another modification was adding harmless filler information to HTML attachments used in phishing campaigns in order to conceal a small JavaScript snippet that starts the attack and makes it more difficult for security systems to identify.
Users of Microsoft 365 services, including corporate and consumer accounts, are the intended target for Mamba 2FA. Similar to other PhaaS platforms, it conducts AiTM phishing attacks through proxy relays, giving threat actors access to authentication cookies and one-time passcodes. The Socket.IO JavaScript library is used by the AiTM method to create communication between the phishing website and the backend relay servers, which use the stolen data to communicate with Microsoft's servers.
Phishing templates are available from Mamba 2FA for several Microsoft 365 services, such as OneDrive, SharePoint Online, phony voicemails that lead to a Microsoft login page, and generic Microsoft sign-in pages. Phishing websites for enterprise accounts dynamically adopt the specific login branding of the targeted organization, including logos and background graphics, to give the effort a more genuine appearance.
An attacker can start a session right away by sending authentication cookies and captured credentials to them using a Telegram bot. Additionally, Mamba 2FA has sandbox detection, which sends users to Google 404 sites if it detects that they are being analyzed.
All things considered, the Mamba 2FA platform poses a risk to enterprises by enabling unskilled actors to carry out extremely successful phishing attacks. Use hardware security keys, certificate-based authentication, geo-blocking, IP allow-listing, device allow-listing, and token lifespan shortening as defenses against AiTM-based PhaaS operations.
Impact
- Security Bypass
- Sensitive Data Theft
- Unauthorized Access
- Identity Theft
Indicators of Compromise
Domain Name
- drensyoons1sedt.com
- ccokies1cakes.com
- ccokies2mangoes.com
- ccokies3tomatoes.com
- m1tis-apicookies.com
- m2fes-apicookies.com
- m3mas-apicookies.com
- winss0conect.click
- winstnet80nss.cfd
- tenetur.top
- tenetur.xyz
- hypexfinancial.com
- onemanforest.com
- twomancake.com
- 3alphabetjay.com
IP
- 23.26.35.67
- 23.26.206.99
- 45.86.54.206
- 45.9.153.102
- 45.61.130.11
- 172.86.97.78
- 172.86.105.59
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.