New Mamba 2FA bypass service targets Microsoft 365 accounts

Mamba 2FA Overview: A developing PhaaS platform specializing in adversary-in-the-middle (AiTM) attacks, designed to bypass multi-factor authentication (MFA).

Attack Mechanism: By using carefully crafted login pages, Mamba 2FA captures victims' credentials, allowing attackers to gain unauthorized access.

Cost and Accessibility: Priced at $250 per month, Mamba 2FA is attracting cybercriminals due to its competitive offering and ease of use.

Operational Timeline: Initial reports emerged in June 2024, but tracking indicates activity as early as November 2023, with the kit sold via Telegram.

Infrastructure Improvements: After being exposed, Mamba 2FA enhanced its tactics, including using proxy servers to obscure IP addresses and cycling phishing URLs weekly to evade detection.

Phishing Techniques: The platform provides customizable phishing templates for various Microsoft services, ensuring the phishing pages closely mimic legitimate sites.

Data Capture and Session Hijacking: Stolen credentials and cookies are sent to attackers via a Telegram bot, allowing immediate session hijacking.

Sandbox Evasion: Mamba 2FA includes measures to evade detection by security systems, redirecting analyses to benign Google 404 pages.

Recommendations for Protection: To combat PhaaS threats, organizations are advised to implement hardware security keys, certificate-based authentication, geo-blocking, and IP protection.

Evolving Threat Landscape: The rise of platforms like Mamba 2FA underscores the increasing sophistication of phishing attacks targeting Microsoft 365 users.