A phishing-as-a-service (PaaS) tool known as Sneaky2FA has been updated with a new feature that allows attackers to insert legitimate-looking URLs into their phishing links. The cybersecurity firm Resecurity identified this development, which is designed to make malicious pages appear more credible to victims and security tools.

The tool is specifically engineered to defeat two-factor authentication (2FA) by functioning as an adversary-in-the-middle (AiTM) platform, intercepting communications between a user and a legitimate online service.

New URL Insertion Feature Enhances Evasion

The new capability leverages the ‘search’ parameter within a URL. This allows a threat actor to embed a genuine web address as a parameter within the malicious phishing link. For example, the URL might be structured as https://phishingdomain.com/path?search=https://legitimatedomain.com. This technique is intended to bypass security filters that primarily analyze the core domain name of a URL and may not inspect the parameters that follow it.

Bypassing 2FA and Targeting Major Services

Sneaky2FA’s core function is to capture credentials and bypass 2FA. It works by intercepting a victim’s username, password, and, critically, the session cookie that is generated after a successful 2FA validation. Once the attacker obtains this session cookie, they can use it to gain unauthorized access to the victim’s account, rendering the 2FA protection ineffective for that session.

The tool is known to target users of major services including Microsoft 365 and Outlook. Sneaky2FA is marketed and sold on Telegram channels through a subscription model, with monthly licenses priced at approximately $200. The tool has been documented in attacks against organizations across the finance, technology, and government sectors.