Malware

Sneaky 2FA

Sneaky 2FA is a phishing-as-a-service (PhaaS) kit used for adversary-in-the-middle (AitM) phishing against Microsoft 365 accounts. Reported capabilities include bypassing multi-factor authentication by intercepting authentication flows, validating stolen credentials through legitimate Microsoft APIs, using browser-in-the-browser fake login windows, redirecting victims to Microsoft-related pages to reduce suspicion, and employing bot and sandbox evasion. Barracuda identified it as an aggressive newer phishing kit active in 2025 and as one of the platforms benefiting from the disruption of Tycoon 2FA, alongside Mamba 2FA, EvilProxy, and Whisper 2FA. The provided content specifically associates Sneaky 2FA with campaigns targeting Microsoft 365 accounts; no additional high-confidence indicators of compromise are provided in the source content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence3

Security experts have issued a warning about the continued risk of Tycoon 2FA attacks... Before the takedown, Tycoon 2FA was behind tens of millions of phishing messages, reaching over 500,000 organizations each month worldwide.

Credential Access

2 techniques

T1539Steal Web Session CookieEvidence1

In the background, however, the attacker captures every step in transit, including the username, password, MFA response, and resulting session cookie. Once that cookie is stolen, it can be replayed to access the account as an authenticated user.

T1557Adversary-in-the-MiddleEvidence2

First spotted in August 2023, it used adversary in the middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.

Collection

1 technique

T1557Adversary-in-the-MiddleEvidence2

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

itproNews

Apr 17, 2026

Tycoon 2FA is down, but not out - researchers warn the phishing as a service operation is still a huge threat to businesses | IT Pro

A newer phishing kit/platform identified as an aggressive newcomer filling the gap left by Tycoon 2FA.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

PhaaS kit incorporating Browser-in-the-Browser (BitB) techniques to improve credential theft and MFA bypass success.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Adversary-in-the-middle phishing kit targeting Microsoft 365 to steal credentials and intercept/bypass 2FA codes.

help net securityNews

Jan 8, 2026

Cybercriminals are scaling phishing attacks with ready-made kits

A phishing kit that bypasses MFA using adversary-in-the-middle techniques, browser-in-the-browser attacks, and validation of credentials via Microsoft APIs.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.