| “Sneaky Log” is a sophisticated cybercrime group that emerged in late 2024, operating a Phishing-as-a-Service (PhaaS) kit called “Sneaky 2FA” which is designed to bypass two-factor authentication (2FA), also known as multi-factor authentication (MFA). This kit generates highly realistic phishing webpages, often pre-populated with the victim’s email address. It harvests Microsoft 365 session cookies to circumvent MFA, allowing attackers to authenticate directly to services. “Sneaky 2FA” also employs advanced evasion techniques like blurring login backgrounds and distinguishing between human users and bots to avoid detection and analysis. Offered on a monthly subscription basis for around $200 via Telegram, “Sneaky 2FA” highlights the ongoing struggle between cyber defenders and evolving threat tactics. |
| The NJCCIC detected a new variant of Sneaky Log in which the message contains a URL that leads to a password-protected PDF file hosted on Adobe[.]com or Google Drive. In one campaign, threat actors use compromised accounts to send a “Kindly review the document” themed message that also contains the password for viewing the document on an Adobe[.]com webpage. |
| Once the intended victim clicks the link and enters their password, they are presented with a “Review Document” link impersonating a PDF file. If the intended victim clicks this link, they are redirected to a website hosting the “Sneaky 2FA” kit. |
| The kit uses a Cloudflare Turenstile, IP filtering, and anti-debugging to evade bot-sandboxing and analysis. |
| If the kit detects Bot sandboxing or analyst activity, it redirects to a benign site (e.g., Wikipedia) or shows other harmless content. |
| If the kit determines the activity as a potential victim, it proceeds to the next stage and displays a fake Microsoft sign-in screen. |
| If the victim enters their credentials, the kit performs credential and session cookie harvesting (Adversary-in-the-Middle AiTM) by: |
| Intercepting the victims’ credentials. Forwarding the credentials to the legitimate Microsoft 365 login page. Intercepting the response from the legitimate service, including MFA prompts. If MFA is required, the kit presents the MFA prompt to the victim and intercepts the MFA code. The kit uses the MFA code to complete the authentication process and then harvests the session cookies issued by the legitimate service after successful authentication. This step allows the attacker to replay the session to gain access to the victim’s account without needing to enter the victim’s password or MFA again. |
| After successfully collecting the session cookies, the kit will often redirect the victim to a legitimate page (e.g., their actual Microsoft 365 dashboard or a generic website) to avoid suspicion. |