Microsoft 365 accounts targeted by dangerous new phishing scam

Shadowed hands on a digital background reaching for a login prompt.

Image Credit: Shutterstock (Image credit: Shutterstock)

Security experts have warned of a new phishing-as-a-service (PhaaS) platform that’s emerging as a serious threat, thanks to its advanced features, obfuscation techniques, and competitive pricing.

Security researchers from Sekoia have revealed more on Mamba 2FA, which has been on the market since at least November 2023.

Crooks are mostly using it to target people’s Microsoft 365 accounts, both private and corporate, and it costs $250 a month which, they say, is a rather competitive price, drawing much interest from the cybercriminal community.

Adversary in the middle

Over the last couple of months, the platform was upgraded and enhanced multiple times, and now masks the IP addresses of relay servers on authentication logs, and rotates link domains used in phishing URLs, to avoid blacklisting.

Crooks that purchase the service can create convincing Microsoft 365 login pages, which even allow for the capture of the victim’s authentication tokens, multi-factor authentication (MFA) codes, and similar advanced protections.

All of this has made Mamba 2FA a formidable foe. Sekoia’s researchers said that during the observation period, they saw the PhaaS in action multiple times, suggesting a widespread threat.

Phishing continues to be the number one attack vector around the world. Its omnipresence, low cost, and the ease at which addresses can be found, make email the go-to avenue to steal sensitive data, or deploy malware. In recent years, companies started demanding their employees use multi-factor authentication to provide an extra layer of security and make sure passwords stolen via phishing cannot be abused.

Criminals have responded by creating adversary-in-the-middle (AiTM) solutions, as is Mamba 2FA, which can even trick the victim into sharing MFA codes with the attackers, as well. In some instances, the criminals will allow the victim to log into the legitimate service simultaneously, increasing the perceived legitimacy and reducing the chances of being spotted.

Via BleepingComputer

More from TechRadar Pro

This new phishing attack targets iPhone and Android alike via RCS
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.