A new phishing-as-a-service (PhaaS) platform called ‘Mamba 2FA’ has been discovered that is targeting Microsoft 365 accounts, particularly through Adversary-in-the-Middle (AiTM) techniques. At $250 per month, the platform offers threat actors well-crafted phishing pages and mechanisms to bypass multi-factor authentication (MFA).
Mamba 2FA is designed to capture authentication tokens through an AiTM setup, bypassing MFA protections that many organizations rely on to secure their accounts. With this setup, attackers can intercept and steal one-time passcodes and authentication cookies, allowing them to take over accounts without needing the victim's second authentication factor.
The platform leverages the Socket.IO JavaScript library to establish communication between the phishing pages and backend relay servers, which then interact with Microsoft's servers using stolen credentials.
Mamba 2FA was first documented in June 2024 by researchers at cybersecurity firm Any.Run. However, Sekoia reports tracking activity tied to this platform since May 2024, with additional evidence suggesting phishing campaigns were backed by Mamba 2FA as early as November 2023.
Following public disclosure, Mamba 2FA began using proxy servers from commercial provider IPRoyal to conceal the IP addresses of its relay servers in authentication logs.
Mamba 2FA employs sandbox detection techniques to evade analysis. When it detects a potential analysis environment, it redirects users to harmless Google 404 pages, thwarting investigation attempts.
The platform also facilitates real-time data transmission to attackers through a Telegram bot. Once a victim’s credentials and authentication cookies are captured, they are instantly delivered to the attacker, allowing them to take over the account.