New Threat For Microsoft 365 Accounts – Mamba 2FA Phishing Platform

• A new PhaaS platform called Mamba 2FA has been attacking Microsoft 365 accounts, Entra ID accounts, and other enterprise systems.
• The platform started running attacks in November 2023 but has been gaining a lot more traction since March 2024.
• Organizations can arm up against it by using phishing-resistant MFAs and by watching out for unknown signup attempts.

A new phishing-as-a-service (PhaaS) platform named Mamba 2FA has been gaining traction. It was found launching adversary-in-the-middle (AiTM) attacks against Microsoft 365 accounts, Entra ID accounts, and other enterprise systems to bypass the victim's multi-factor authentication (MFA) and steal their credentials. Both individual and enterprise customers are equally at risk.

When Was the Platform Discovered?

The platform was first documented by analysts at Any. Run in late June 2024. However, Sekoia's Threat Detection & Research (TDR) team claimed that they have been tracking it since May 2024. A partner alerted the team that a phishing campaign has been found that's using HTML attachments to mimic Microsoft 365 login pages.

It's hard to say when the platform was started but there's evidence of it running phishing campaigns from November 2023.

The worst part is this phishing kit is being sold to other cybercriminals for $250/month on ICQ and Telegram. This means that even those who are not very technologically advanced can deploy these attacks. Using this kit, they can generate phishing links and HTML attachments.

When Mamba 2FA realized that its campaigns had been discovered, it made some changes to its infrastructure and methodology to evade detection.

• For example, initially, its relay servers were directly connected to Microsoft Entra ID servers due to which its IP addresses were exposed, which made it easier to block it.
• However, since October, it has started using proxy servers from IPRoyal to hide those IP addresses.
• In addition to that, the link domains that are used in phishing URLs are changed every week so that they don't have to worry about being discovered and blocklisted by security tools.
• If it realizes that it's being analyzed, it immediately redirects the user to a 404 error page.
• Last but not least, the HTML attachments used in the attacks were enhanced with filler content, hiding the small piece of JavaScript that triggers the attack. This makes it difficult for security tools to identify any threat.

How Does It Work?

The phishing pages look like legitimate sign-in pages for Microsoft services like Sharepoint and OneDrive. The URL of the phishing page also has a specific format so that it can identify the victim and customize the page accordingly.

For example, if the target is an enterprise account, the phishing page automatically imitates the brand-specific login page, complete with logos and background images.

Image Credits: Sekoia

• During the attack, it uses proxy relays to run AiTM phishing attacks., which allows the threat actor to access non-phishing-resistant MFAs such as authentication cookies and one-time passcodes.
• The AiTM mechanism established communications between the phishing page and the relay servers with the help of a Socket.IO JavaScript library.
• The backend relay servers then communicate with Microsoft's servers with the help of the stolen data.
• At the end of the process, all the stolen authentication cookies and credentials are sent to the attacker through a Telegram bot, helping them to start a new session immediately.

How Can You Protect Yourself Against Such Attacks?

Since these phishing attacks are being done by bypassing multi-factor authentication, organizations like Microsoft should try to implement MFA methods that are resistant to phishing, such as biometrics and hardware tokens.

• Authentication logs should also be monitored on a regular basis for any unauthorized sign-in attempts from proxy IP addresses.
• More advanced security solutions should also be put in place - the ones that can detect Base64-encoded parameters in phishing URLs and HTML attachments.
• Last but not least, the domains and IP addresses used in these attacks are mentioned in the report published by Sekoia. Organizations can use this information to speed up detection.

The post New Threat For Microsoft 365 Accounts - Mamba 2FA Phishing Platform appeared first on The Tech Report.