Sneaky 2FA, believed to be sold via the phishing-as-a-service (PhaaS) business model, recently figured in an adversary-in-the-middle (AitM) attack targeting Microsoft 365 users. Marketed as Sneaky Log by a full-featured bot on Telegram, Sneaky 2FA reportedly used fake Microsoft authentication pages with automatically filled-in email address fields to add to its sense of authenticity.

Sekoia published their in-depth investigation on Sneaky 2FA in “Sneaky 2FA: Exposing a New AitM Phishing-as-a-Service” and identified at least 61 indicators of compromise (IoCs) comprising 57 domains, two IP addresses, and two subdomains.

The WhoisXML API research team expanded the current list of IoCs in a bid to find more connected artifacts and uncovered:

• 342 email-connected domains based on historical WHOIS records, 14 of which have already been weaponized for various campaigns
• 49 additional IP addresses, 36 of which turned out to be malicious
• 235 IP-connected domains, two of which have already been tagged as malicious
• 216 string-connected domains, one of which has already figured in a malicious campaign
• 50 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the Sneaky 2FA IoCs

To gather more information about the IoCs, we first queried the 57 domains identified as such on Bulk WHOIS API. We found that only 54 of them had current WHOIS records. Their records revealed the following:

• A majority of the domains, 46 to be exact, were created in 2024. One domain each was created in 2007, 2010, 2015, 2016, 2019, 2020, 2022, and 2023.

  

• They were administered by 13 different registrars led by NameSilo, which accounted for 20 domains. Namecheap came in second place with 10 domains. In third place was Hostinger Operations with six domains. GoDaddy and PDR tied in fourth place with five domains each. Finally, DomainSite, Dreamscape Networks, Hosting Concepts, Name SRS, R01-SU, Register.com, Sav.com, and WEBCC accounted for one domain each.

  

• Only 18 of them had registrant countries listed in their current WHOIS records. The U.S. was the top registrant country, accounting for 11 domains. Iceland and India tied in second place with three domains each. Germany accounted for one domain.

  

We also queried the 57 domains tagged as IoCs on DNS Chronicle API and found that only 53 had recorded historical IP resolutions. Altogether, they recorded 1,184 IP resolutions over time. The IoC usfightingsystems[.]com recorded the oldest IP resolution on 4 October 2019. Take a look at the DNS histories of five other examples below.

We then looked more closely at the two IP addresses identified as IoCs by querying them on Bulk IP Geolocation Lookup, which revealed that:

• Each was geolocated in a different country—one in Germany and the other in the Netherlands.

  

• They were also administered by two different ISPs—one by Shinjiru Technology and the other by Aéza.

  

As with the domains tagged as IoCs, we queried the two IP addresses on DNS Chronicle API. We found that only one recorded domain resolutions. In particular, 101[.]99[.]92[.]124 posted 14 domain resolutions over time starting on 6 February 2024.

Sneaky 2FA IoC List Expansion Findings

To find other web properties possibly connected to Sneaky 2FA, we began by querying the 57 domains tagged as IoCs on WHOIS History API. We discovered that 33 had 60 email addresses after duplicates were filtered out in their historical WHOIS records. Further scrutiny revealed that 12 of the email addresses were public.

We queried the 12 public email addresses on Reverse WHOIS API in a bid to uncover email-connected domains. Our search, however, revealed that none of them appeared in the current WHOIS records of other domains.

So, we dug deeper. We queried the 12 public email addresses on Reverse WHOIS Search using the Historic parameter and discovered that 11 had connections. In particular, the addresses appeared in the historical WHOIS records of 342 email-connected domains after duplicates and those already tagged as IoCs were filtered out.

Threat Intelligence API queries for the 342 email-connected domains revealed that 14 have already been weaponized for various campaigns. Take a look at five examples below.

As the next step, we queried the 57 domains identified as IoCs on DNS Lookup API and found that 38 resolved to 49 additional IP addresses after duplicates and those already tagged as IoCs were filtered out.

Threat Intelligence API queries for the 49 additional IP addresses showed that 36 have already been weaponized for various campaigns.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.