A new phishing service called Mamba 2FA is being used by cybercriminals to target Microsoft 365 accounts. It works by creating convincing fake login pages to trick users and steal their account information, even when multi-factor authentication (MFA) is in place. This type of attack is called “adversary-in-the-middle” (AiTM), where attackers capture a victim’s login data, including one-time codes sent via MFA.
Mamba 2FA is sold to hackers for approx. £200 per month, which makes it an appealing and fast-growing tool in the cybercrime world.
How it Works
Mamba 2FA first appeared in mid-2024, although its activities have been tracked as far back as late 2023. Initially sold on ICQ and Telegram, this platform has evolved over time, adding features that make it harder to detect. For instance:
- It now uses proxy servers to hide the real location of its phishing operations, making it harder for Microsoft to block them.
- The fake login pages and phishing links constantly change to avoid getting flagged by security systems.
- It hides malicious code inside seemingly harmless email attachments, making it harder for security software to catch.
Targeting Microsoft 365 users
Mamba 2FA is specifically designed to target M365 users, which includes businesses and individuals who use services like OneDrive, SharePoint, and Microsoft’s email system. The attackers can access even those accounts that use MFA, and they use stolen data to connect directly to Microsoft’s servers.
[Architecture of the Mamba 2FA phishing kit. Source: Sekoia]
The phishing pages look very convincing, often copying the branding and login pages of specific companies to make the scam look legitimate. After stealing the login information, the hackers get instant access to the account and can start using it right away.
Relatable Questions:
What can you do to protect your business?
Mamba 2FA makes it easy for even less experienced hackers to launch highly effective phishing attacks. To protect your company from these kinds of threats, consider implementing stronger security measures like:
- Certificate-based authentication: This ensures only authorised devices can connect to your system.
- Geo-blocking and IP allowlisting: Restrict access to your accounts based on geographic location and only allow trusted IP addresses to log in.
- Limiting the lifespan of authentication tokens: By doing this, you’ll be able to control and reduce the risk of them being misused.
- Invest in Cyber Security Training: Regularly update and train staff on the latest threats and cyber security best practices.
By adopting these safer practices, you can better protect your business from phishing attacks that bypass traditional security methods like MFA.
How would an attack like this go unnoticed, even with multi-factor authentication (MFA) in place?
Even though MFA adds an extra layer of security, phishing-as-a-service platforms like Mamba 2FA can bypass it through AiTM (adversary-in-the-middle) attacks. When you enter your MFA code, the attacker captures it in real-time and uses it to log into your account as if they were you. This makes it extremely hard to detect because from the system’s perspective, it’s a legitimate login with correct credentials.
What should I do if I think my organisation has been targeted by a phishing attack?
If you suspect an attack, the first step is to immediately revoke access tokens from all potentially compromised accounts. Then, update all passwords and enforce re-authentication across the organisation. It’s crucial to perform a forensic analysis to determine the extent of the breach. Also, notify relevant stakeholders and clients, and report the incident to your regulatory bodies. Lastly, consider improving your Cyber Security defences.
In conclusion, Mamba 2FA represents a new wave of sophisticated cyber threats that can bypass traditional security measures like multi-factor authentication, leaving even the most security-conscious businesses vulnerable. Whether you’re in the legal, finance, or any other industry handling sensitive information, the risks are real and growing. Attackers are evolving, and so should your IT defence strategy.
The moral of this recent event is clear: businesses need to stay ahead of these threats by understanding the tools cybercriminals use and taking proactive steps to safeguard their data. Mamba 2FA and similar services allow even low-skilled attackers to launch highly effective phishing attacks. It’s no longer a question of if your business might be targeted, but when.