Skip to main content
Mallory
Back to malware
Malware

Sneaky2FA

Sneaky2FA is a phishing kit observed by Any.Run researchers being hosted on trusted cloud/CDN infrastructure to evade domain- and reputation-based detections. It has been found hosted on Firebase Cloud Storage (firebasestorage[.]googleapis[.]com) and also on AWS CloudFront (cloudfront[.]net). The kit presents fake Microsoft 365 login pages and is used to harvest corporate (enterprise) account credentials; campaigns may filter out free email accounts to focus on corporate users. The described detection challenge is that the underlying hosting domains are legitimate and widely trusted, with the maliciousness residing in the served content and user interaction flow rather than the cloud infrastructure itself. No specific threat actor attribution is provided in the content. Example related indicators of compromise listed in the content include mphdvh[.]icu, kamitore[.]com, aircosspascual[.]com, and Lustefea[.]my[.]id.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

Phishing services, which provide enterprise-grade credential harvesting capabilities, can be rented for as little as $100 per month.

Credential Access

1 technique
T1557Adversary-in-the-MiddleEvidence1

Adversary-in-the-Middle functionalities bypass traditional multi-factor authentication protection. The most commonly used tool is Tycoon2FA (58%).

Collection

1 technique
T1557Adversary-in-the-MiddleEvidence1

Adversary-in-the-Middle functionalities bypass traditional multi-factor authentication protection. The most commonly used tool is Tycoon2FA (58%).

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
cyber security newsNews
Feb 4, 2026
Threat Actors Abuse Microsoft & Google Platforms to Attack Enterprise Users

An AiTM phishing kit offered as a Phishing-as-a-Service toolset, used to capture enterprise credentials and session tokens (including in MFA-protected flows) by acting as a proxy between the victim and legitimate login services.

Read more
cyber security newsNews
Feb 4, 2026
Threat Actors Abuse Microsoft & Google Platforms to Attack Enterprise Users

An AiTM phishing kit offered as a Phishing-as-a-Service platform, used to steal enterprise credentials and session tokens by acting as a proxy between victims and legitimate login services, allowing MFA bypass.

Read more
cyber security newsNews
Jan 15, 2026
Hackers Abusing Legitimate Cloud and CDN Platforms to Host Phishing Kits

A phishing kit family leveraging Firebase Cloud Storage and AWS CloudFront to host fake Microsoft 365 login pages for harvesting enterprise credentials (with an emphasis on corporate accounts).

Read more
risky biz rssNews
Nov 19, 2025
Risky Bulletin: Microsoft will integrate Sysmon into Windows

Sneaky2FA is a phishing kit designed to bypass two-factor authentication, now enhanced with Browser-in-the-Browser (BITB) techniques for more convincing phishing attacks.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.