New Mamba 2FA Bypass Service Targets Microsoft 365 Accounts
Summary:
Mamba 2FA is an emerging phishing-as-a-service platform that targets Microsoft 365 accounts through adversary-in-the-middle attacks. It uses highly convincing phishing login pages to steal authentication tokens, bypassing multi-factor authentication protections. Priced at $250 per month, Mamba 2FA is gaining popularity due to its accessibility and effectiveness, positioning it as one of the fastest-growing phishing platforms in the market. First detected by Any.Run analysts in June 2024, Mamba 2FA has been active since late 2023, with evidence of phishing campaigns dating back to November. Initially sold on ICQ, the platform later expanded to Telegram. Since its discovery, Mamba 2FA has evolved to become more stealthy and resilient. In October, it began using proxy servers from IPRoyal to hide the IP addresses of its relay servers, which previously connected directly to Microsoft Entra ID servers, making them more susceptible to blocking. Additionally, the platform now rotates phishing link domains weekly to avoid detection and blocklisting. Mamba 2FA also enhanced the HTML attachments used in phishing emails by embedding benign filler content that conceals the malicious JavaScript, making it harder for security tools to detect.
Security Officer Comments:
The platform specifically targets Microsoft 365 users, including corporate and consumer accounts, using proxy relays to conduct AiTM phishing attacks. This allows attackers to capture one-time passcodes and authentication cookies, using the Socket.IO JavaScript library to facilitate communication between the phishing page, relay servers, and Microsoft servers. Mamba 2FA offers phishing templates that mimic Microsoft 365 services such as OneDrive, SharePoint Online, and generic Microsoft login pages. For enterprise targets, the phishing pages dynamically adopt the organization’s branding, including logos and background images, to make the attacks appear more authentic. Captured credentials and authentication cookies are transmitted to attackers through a Telegram bot, allowing them to initiate sessions in real-time. The platform also includes sandbox detection features, redirecting suspected analysts or automated systems to Google 404 error pages to avoid scrutiny.
Suggested Corrections:
To defend against PhaaS platforms like Mamba 2FA, organizations are advised to implement security measures such as hardware security keys, certificate-based authentication, geo-blocking, IP allowlisting, device allowlisting, and token lifespan shortening. These defenses help mitigate the risks posed by AiTM phishing attacks, ensuring stronger protection for users and their accounts.
Link(s):
https://www.bleepingcomputer.com/ne...ypass-service-targets-microsoft-365-accounts/
Mamba 2FA is an emerging phishing-as-a-service platform that targets Microsoft 365 accounts through adversary-in-the-middle attacks. It uses highly convincing phishing login pages to steal authentication tokens, bypassing multi-factor authentication protections. Priced at $250 per month, Mamba 2FA is gaining popularity due to its accessibility and effectiveness, positioning it as one of the fastest-growing phishing platforms in the market. First detected by Any.Run analysts in June 2024, Mamba 2FA has been active since late 2023, with evidence of phishing campaigns dating back to November. Initially sold on ICQ, the platform later expanded to Telegram. Since its discovery, Mamba 2FA has evolved to become more stealthy and resilient. In October, it began using proxy servers from IPRoyal to hide the IP addresses of its relay servers, which previously connected directly to Microsoft Entra ID servers, making them more susceptible to blocking. Additionally, the platform now rotates phishing link domains weekly to avoid detection and blocklisting. Mamba 2FA also enhanced the HTML attachments used in phishing emails by embedding benign filler content that conceals the malicious JavaScript, making it harder for security tools to detect.
Security Officer Comments:
The platform specifically targets Microsoft 365 users, including corporate and consumer accounts, using proxy relays to conduct AiTM phishing attacks. This allows attackers to capture one-time passcodes and authentication cookies, using the Socket.IO JavaScript library to facilitate communication between the phishing page, relay servers, and Microsoft servers. Mamba 2FA offers phishing templates that mimic Microsoft 365 services such as OneDrive, SharePoint Online, and generic Microsoft login pages. For enterprise targets, the phishing pages dynamically adopt the organization’s branding, including logos and background images, to make the attacks appear more authentic. Captured credentials and authentication cookies are transmitted to attackers through a Telegram bot, allowing them to initiate sessions in real-time. The platform also includes sandbox detection features, redirecting suspected analysts or automated systems to Google 404 error pages to avoid scrutiny.
Suggested Corrections:
To defend against PhaaS platforms like Mamba 2FA, organizations are advised to implement security measures such as hardware security keys, certificate-based authentication, geo-blocking, IP allowlisting, device allowlisting, and token lifespan shortening. These defenses help mitigate the risks posed by AiTM phishing attacks, ensuring stronger protection for users and their accounts.
Link(s):
https://www.bleepingcomputer.com/ne...ypass-service-targets-microsoft-365-accounts/