Threat actors have been using the newly emergent Mamba 2FA phishing-as-a-service platform to compromise Microsoft 365 accounts in adversary-in-the-middle intrusions, according to BleepingComputer.
AiTM attacks by Mamba 2FA against Microsoft 365 accounts have been facilitated by proxy relays and the Socket.IO JavaScript library, which enabled one-time passcode and authentication cookie access and communications between Microsoft 365 service phishing pages and relay servers, respectively, a report from Sekoia showed. Attackers then leverage a Telegram bot to enable transmission of stolen credentials and authentication cookies, reported Sekoia researchers, who also discovered improvements in Mamba 2FA since being first reported by Any.Run in June. Such enhancements included Mamba 2FA's utilization of IPRoyal proxy servers, regularly rotated phishing URLs, and benign content on HTML attachments to better conceal malicious activity. The findings should prompt organizations to strengthen their defenses against AiTM intrusions launched by PhaaS operations by implementing certificate-based authentication, geo-blocking, hardware security keys, device allowlisting, IP allowlisting, and reduced token lifespans.