FacebookTwitterLinkedIn

Microsoft 365 Users Beware The Mamba

Microsoft 365 users should be aware of a new threat actor offering their services as a phishing-as-a-service platform to conduct Adversary-in-the-Middle (AiTM) attacks for a monthly fee. Called Mamba2FA, not to be confused with Mamba ransomware, the malware targets Microsoft 365 users with well-crafted login pages.

However, the real danger to Microsoft 365 users is the ability to conduct AiTM attacks to capture the victim's authentication tokens and bypass multifactor authentication (MFA) protections on their accounts. The malware costs 250 USD per month, making it incredibly competitive and presenting a significant drop in the skill floor required for threat actors to carry out sophisticated attacks.

Microsoft 365 Users Beware The Mamba

AiTM attacks can be defined as a type of cyberattack where a perpetrator positions themselves in a conversation between two parties, be they two users, two devices, or a user and an application or server, so that all communications go to or through the attacker. This attack method has proved popular for those wishing to steal credentials or multifactor authentication tokens and cookies to log into accounts.

Mamba2FA was first discovered by Any.Run, who released details to the public in June 2024. The security researchers who made the discovery found that 72 phishing domains pretending to be real or fake companies were used in the campaign.

These domains created believable websites that tricked people into sharing their login details. The attack campaign was sophisticated, using advanced techniques like direct human interaction to deceive targets.

Since the release of Any. Run's article, the threat actor behind Mamba2FA, has updated several features to the malware and phishing components. It is likely in direct response to Any. Run's article. These changes have now been analyzed and released to the public by Sekoia in a recent blog post.

The phishing component now has the following abilities and features:

  • It handles two-step verifications for non-phishing-resistant MFA methods such as one-time codes and app notifications;
  • It supports Entra ID, AD FS, third-party SSO providers, and consumer Microsoft accounts;
  • For enterprise accounts, it dynamically reflects the organization's custom login page branding (logo, background image);
  • The stolen credentials and cookies are instantly sent to the attacker via a Telegram bot;
  • The kit attempts to block visits to the page by security scanning services.

In order to intercept multifactor authentication tokens and cookies, the threat actor uses the Socket.IO JavaScript library to establish communication between the phishing page and the relay servers at the platform's backend.

The stolen data is then used to communicate with Microsoft's servers. Further, captured credentials and authentication cookies are transmitted to the attacker through a Telegram bot, enabling them to initiate a session immediately in an attempt to grant access to accounts with stolen credentials.

Operational Improvements

To keep phishing and AiTM operations running smoothly, the threat actor has made several operational changes when compared to the malware discovered in June 2024. One such improvement is using domain names with a fixed time period.

Researchers stated,

The link domains, being used in the URLs of the phishing pages, are easily visible to the victims and get usually reported and blocked by security solutions after a few days of use. For this reason, the operator of Mamba 2FA maintains around a dozen link domains at any time and replaces them about every week…On the other hand, the domain names used for the relay servers are less exposed, and it is common for them to last several weeks.

Another improvement to facilitate uninterrupted operations is the use of proxy servers. To this extent, researchers further stated,

Until late September 2024, the relay servers were connecting directly to the Entra ID servers when performing authentications with victim’s credentials. As a result, the IP addresses of the relay servers were exposed in the authentication logs of the targeted tenants. However, starting October 2024, the developers of Mamba 2FA implemented an additional indirection layer, utilizing proxy servers sourced from a commercial provider (IPRoyal). In consequence, the IP addresses appearing in authentication logs since October 2024 are those of the datacenter proxies, not the relay servers. (These proxy servers are not pictured on the architecture schema above).

Additionally, Mamba2FA now includes protection against security analysis through Sandbox detection. If a Sandbox is detected, the user is redirected to Google's 404 error page. Mamba 2FA allows threat actors with a low skill ceiling to conduct sophisticated phishing attacks by abusing MFA systems that have become a cornerstone of identity protection.

In protecting against phishing campaigns that use AiTM attack methods, it is advised to consider using hardware security keys, certificate-based authentication, geo-blocking, IP allowlisting, device allowlisting, and token lifespan shortening to help prevent AiTM attacks.

Further,  conditional access policies that evaluate sign-in requests can be adopted using additional identity-driven signals like user or group membership, IP location information, and device status, among others, and are enforced for suspicious sign-ins.

Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices, trusted IP address requirements, or risk-based policies with proper access control.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal