Its every other day and you’re logging into Microsoft 365. You receive an email with a familiar OneDrive link. Everything seems legitimate: the Microsoft logo is there, and the login form looks professional. You enter your credentials, but something feels off.
Moments later, you’re locked out of your account, while someone else logs in from a different device, bypassing your multi-factor authentication (MFA). Welcome to the world of Mamba2FA, a sophisticated phishing campaign discovered by Sekoia's Threat Detection& Research (TDR) team in mid-2024.
Unmasking Mamba 2FA
In May 2024, Sekoia’s TDR team unearthed a phishing scheme utilizing HTML attachments to steal Microsoft 365 credentials. These phishing attempts were anything but typical. They bypassed certain MFA protections and employed WebSockets, allowing real-time communication between the phishing page and attackers’ servers.
Key Characteristics of Mamba 2FA
Mamba 2FA is designed to be adaptable and difficult to detect. Here’s what sets it apart:
- URL Structure and Domain Names: Phishing URLs follow a specific pattern. If an encoded string is invalid, users see a blank page, thwarting automated detection. If security tools attempt to access the page, they’re redirected to a harmless page, like Google’s 404 error page.
- Phishing Page Customization: Mamba 2FA can mimic various Microsoft services (e.g., OneDrive, SharePoint) based on URL parameters, making it challenging for users to distinguish legitimate sites from phishing attempts.
- Multi-Factor Authentication Evasion: The kit targets vulnerable MFA methods, including one-time passwords (OTPs). Once a user submits an MFA token, attackers receive it instantly and can log in to the victim’s account.
- Advanced Detection Evasion: Designed to evade security sandboxes, Mamba 2FA's servers detect bot activity and redirect them, enhancing its resilience against automated detection.
The Commercialization of Phishing-as-a-Service
Mamba 2FA is marketed on platforms like Telegram as a Phishing-as-a-Service (PhaaS) model. For $250 a month, cybercriminals can generate phishing links and distribute HTML attachments, lowering the barrier to sophisticated phishing attacks. This model enables a broader range of attackers to engage in real-time phishing activities.
Hidden Threats of HTML Attachments
One of Mamba 2FA’sdistinctive features is its use of HTML attachments in phishing emails. These files contain hidden JavaScript that redirects users to the phishing page. The HTML appears harmless, filled with benign text and images, while a snippet of encoded JavaScript ensures the user ends up on the phishing site.
Evolving Threats and Defensive Measures
Since its discovery, Mamba 2FA has undergone several modifications to avoid detection. To defend against it, organizations should:
- Strengthen MFA Policies: Utilize phishing-resistant MFA methods, such as hardware tokens and app-based methods using FIDO2/WebAuthn.
- Monitor for Suspicious URLs: Develop detection rules for specific URL patterns and parameters associated with Mamba 2FA.
- Educate Employees: Regular training can help users recognize phishing attempts and avoid clicking on suspicious links.
- Implement URL Filtering: Advanced URL filtering solutions can block known malicious domains and rapidly rotating URLs.
Conclusion
Mamba 2FA is a rapidly evolving phishing platform, representing a significant threat to both individuals and organizations. Its subscription-based model makes it easier for even low-skill attackers to execute sophisticated phishing schemes. Staying vigilant and employing phishing-resistant MFA methods are crucial steps in combating this persistent threat.
.png)
.png)