October 9, 2024 at 04:44PM
The Mamba 2FA phishing kit targets Microsoft 365 users with deceptive login pages, sneaking past two-factor authentication. Priced at $250/month in cybercrime forums, it mimics various Microsoft services and collects credentials through Telegram. Active since November 2023, it previously operated on ICQ before moving to Telegram.
### Meeting Takeaways on Mamba 2FA Phishing Kit
1. **Overview of Mamba 2FA**:
– A phishing-as-a-service (PhaaS) kit named Mamba 2FA is specifically targeting Microsoft 365 users.
– It offers various convincing adversary-in-the-middle (AitM) disguises for phishing attempts.
2. **Cost and Accessibility**:
– The kit is available for $250 per month on underground cybercrime forums, highlighting its accessibility to malicious actors.
3. **Phishing Techniques**:
– Mamba 2FA can create fake login pages that mimic:
– OneDrive
– SharePoint Online secure links
– Generic Microsoft sign-in pages
– Voicemail retrieval links that redirect to phishing pages.
4. **Dynamic Branding**:
– The kit dynamically incorporates enterprise branding, enabling it to present logos and background images from targeted organizations.
5. **Evasion of Security Measures**:
– Mamba 2FA is capable of bypassing two-factor authentication (2FA) that relies on one-time codes and app notifications.
– It is compatible with:
– Entra ID
– AD FS
– Third-party SSO providers
– Consumer Microsoft accounts.
– The kit collects credentials and cookies, which are sent to the attacker via a Telegram bot instantly.
6. **Historical Context**:
– Mamba 2FA has been advertised on Telegram since at least March 2024, but its use in phishing campaigns dates back to November 2023.
– The service had a previous presence on ICQ until the platform’s shutdown in June 2024, indicating a longer history prior to its Telegram advertisement.
7. **Action Items**:
– Monitor for phishing attempts utilizing Mamba 2FA.
– Increase awareness and training on recognizing phishing attempts among employees, especially those related to Microsoft 365.
– Consider implementing additional security measures to safeguard against AitM attacks and credential harvesting.