HQ/EMEAFind out how we can help your business
The newly emerged Mamba 2FA phishing kit has immediately gained traction in the phishing-as-a-service (PhaaS) community as it can enable threat actors to use malicious tactics.
Reports revealed this new phishing tool can bypass non-phishing-resistant MFA solutions, including one-time passcodes and app alerts. Moreover, the researchers first noticed this malicious entity during a phishing attempt that impersonated the Microsoft 365 login pages.
The tool’s initial analysis suggests that it passes multi-factor authentication (MFA) credentials through phishing pages and communicates with a backend server. Another report also pointed out that the new kit’s characteristics are similar to those of the Tycoon 2FA phishing-as-a-service platform. However, further analysis showed that the campaign leveraged a previously unknown AiTM phishing kit, which is now known as Mamba 2FA.
Mamba 2FA targets various credentials for acquiring initial access.
According to investigations, the primary targets of the Mamba 2FA kit’s infrastructure include Entra ID, third-party single sign-on providers, and consumer Microsoft accounts.
Once the kit steals the credentials, it will transfer them to an attacker-controlled server through Telegram. The researchers also noticed that one of Mamba 2FA’s distinguishing traits is its capacity to adapt to its targets dynamically.
For example, the phishing page in enterprise accounts may use an organisation’s specific branding, improving the attack’s fake legitimacy. On the other hand, it dynamically reflects the organisation’s custom login page branding for enterprise accounts.
Furthermore, Mamba 2FA’s capabilities are more sophisticated than other commonly used MFA interception tools. The platform supports various MFA techniques and modifies the phishing page based on user activities.
This versatility attracts threat actors who seek to exploit even the most advanced MFA setups. As of now, Mamba 2FA is available on Telegram for $250 per month, making it affordable to various malicious entities, even beginners or aspiring hackers.
Lastly, its customers can create phishing links and HTML attachments on demand, and multiple customers share the infrastructure. The alleged developers of this phishing kit have been aggressively promoting it since the start of the year, and its continual evolution implies that this will be a persistent threat that will compromise numerous parties in the future.
