Once the intended victim clicks the link and enters their password, they are presented with a "Review Document" link impersonating a PDF file. If the intended victim clicks this link, they are redirected to a website hosting the "Sneaky 2FA" kit.
The kit uses a Cloudflare Turenstile, IP filtering, and anti-debugging to evade bot-sandboxing and analysis.
If the kit detects Bot sandboxing or analyst activity, it redirects to a benign site (e.g., Wikipedia) or shows other harmless content.
If the kit determines the activity as a potential victim, it proceeds to the next stage and displays a fake Microsoft sign-in screen.
If the victim enters their credentials, the kit performs credential and session cookie harvesting (Adversary-in-the-Middle AiTM) by:
- Intercepting the victims’ credentials.
- Forwarding the credentials to the legitimate Microsoft 365 login page.
- Intercepting the response from the legitimate service, including MFA prompts.
- If MFA is required, the kit presents the MFA prompt to the victim and intercepts the MFA code.
- The kit uses the MFA code to complete the authentication process and then harvests the session cookies issued by the legitimate service after successful authentication. This step allows the attacker to replay the session to gain access to the victim's account without needing to enter the victim's password or MFA again.
- Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown or untrusted senders.
- Exercise caution with communications from known senders as those accounts may be compromised.
- Confirm requests for sensitive information from senders via contact information obtained from verified and official sources.
- Type official website URLs into browsers manually and only submit account credentials and sensitive information on official websites.
- Use strong, unique passwords for all accounts and enable MFA, choosing authentication apps or hardware tokens over SMS text-based codes, when available.
- If an account has been compromised, log out of all devices, revoke any access tokens, and reset passwords.
- Keep systems and browsers updated.
- Report fraudulent scams and other malicious cyber activity to the NJCCIC and the FBI’s IC3.
