Cybersecurity researchers have been tracking the emergence of a new phishing-as-a-service (PhaaS) platform, Mamba 2FA, geared towards compromising Microsoft 365 user accounts.
For $250 per month, Mamba 2FA provides threat actors access to its inventory of well-crafted fake login pages with an embedded adversary-in-the-middle (AiTM) feature that captures victim’s authentication tokens to bypass multi-factor authentication (MFA) controls.
The attack begins with a phishing email designed to entice the recipient to click on a link to access a document or voicemail. Once they do, they are prompted with a seemingly legitimate M365 login request in order to view the requested content. For victims with enterprise M365 accounts, the prompt goes so far as to dynamically include their company’s logo and custom login branding to make the request appear more authentic.
Once the unsuspecting victim ‘logs in’ to the fake site, a Socket.IO connection is established between the phishing page and a Mamba 2FA-controlled relay server, which communicates with Microsoft's servers using the inputted credentials and MFA code.
To hide from cybersecurity analysts, Mamba 2FA phishing sites are configured to redirect to a Google 404 error page when attempted analysis from sandbox environments is detected.
Source: Bleeping Computer
Analysis
PhaaS kits such as Mamba 2FA allow threat actors with limited technical skill and experience to engage in sophisticated phishing activities when they otherwise wouldn’t have had the capability to do so. The kits effectively turn the average criminal into a cybercriminal overnight, representing a significant threat to organizations and individuals worldwide.
While one may assume it is difficult to configure a phishing site to dynamically display the targets's company logo, this is easily accomplished by submitting a curl request to Microsoft's API which will return a JSON file containing links to all of the companies login branding.
Fortunately, phishing is a well-known attack vector and mitigated by implementing a combination of administrative security controls, such as phishing awareness training, with technical security controls, such as automatic scanning and URL stripping.
However, in most cases, the difference between being compromised or not comes down to the recipient of the phishing email and whether they have the awareness not to fall victim to it.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats to M365 user accounts. Field Effect MDR users are automatically notified when their M365 accounts are accessed from suspicious IP addresses, ISPs, or geographical areas, and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
Related Articles
