{"id":5706,"date":"2024-10-09T15:35:18","date_gmt":"2024-10-09T20:35:18","guid":{"rendered":"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/mamba-2fa-cybercrime-kit-microsoft-365-users"},"modified":"2024-10-09T15:35:18","modified_gmt":"2024-10-09T20:35:18","slug":"mamba-2fa-cybercrime-kit-targets-microsoft-365-users","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/09\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users\/","title":{"rendered":"Mamba 2FA Cybercrime Kit Targets Microsoft 365 Users"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A phishing-as-a-service (PhaaS) kit dubbed Mamba 2FA is targeting Microsoft 365 users using a variety of convincing adversary-in-the-middle (AitM) disguises.<\/span><\/p>\n

According to the Sekoia Threat Detection & Research (TDR) team, the kit, which goes for $250 per month on underground cybercrime forums, can present a number of faux login pages to unsuspecting users. It can imitate OneDrive, a SharePoint Online secure link, or a generic Microsoft sign-in page; or it can show the user a purported voicemail retrieval link that redirects to a sign-in page after a click.<\/span><\/p>\n

In all cases, it dynamically reflects enterprise targets’ branding, including logos and background image.<\/span><\/p>\n

According to Sekoia, Mamba 2FA slithers past two-factor authentication (2FA) methods that use one-time codes and app notifications; supports Entra ID, AD FS, third-party SSO providers, and consumer Microsoft accounts; and harvests credentials and cookies that are instantly sent to the attacker via a Telegram bot.<\/span><\/p>\n

“Mamba 2FA has been advertised on Telegram since at least March,” according to a Sekoia <\/span>analysis<\/a><\/span> this week. “However, according to data from public URL and file analysis sandboxes, the kit has been used in phishing campaigns since November 2023. The operator of the service had a long-standing presence on ICQ until this messaging platform shut down in June 2024, and this may be where Mamba 2FA was primarily sold before shifting to Telegram.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A phishing-as-a-service (PhaaS) kit dubbed Mamba 2FA is targeting Microsoft<\/p>\n","protected":false},"author":12,"featured_media":5707,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5706","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=2560%2C1440&ssl=1",2560,1440,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=2048%2C1152&ssl=1",2048,1152,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/mamba-2fa-cybercrime-kit-targets-microsoft-365-users-scaled.jpg?fit=2560%2C1440&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5706"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5706\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5707"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}