Research from Sekoia has unveiled a phishing-as-a-service (PhaaS) kit sold by “Sneaky Log”, a cybercrime service operating via a bot on Telegram. These phishing pages have been in circulation since October 2024 at least, and they have targeted Microsoft 365 accounts.

Below, security experts discuss the techniques observed in this kit and provide advice for defending against similar threats. 

Security leaders weigh in 

Elad Luz, Head of Research at Oasis Security:

This phishing technique is particularly deceptive for several reasons:

• The links in the phishing emails are crafted to pass the victim’s email address to the login page, enabling it to ‘autofill’ the email field. This mimics the behavior of legitimate websites, where autofill is typically associated with accounts users have previously logged into.
• Threat actors blurred out screenshots of Microsoft webpages to create a convincing login background, making it appear as though users will access legitimate content after successfully logging in.
• They also implemented common methods on the web page to distinguish between humans and bots. If the visitor is detected as a bot, the page either displays harmless content or redirects to a legitimate website like Wikipedia. This tactic helps evade automated detection by security systems.

This phishing kit was developed by one group of threat actors and sold to others, highlighting the collaborative nature of many cyberattacks. These malicious tools are often the result of layered efforts by different actors, working together and trading resources. The fact that such kits are readily available for purchase is highly concerning.

As always, users are advised to exercise extreme caution with emails and to verify the legitimacy of websites before entering their credentials. Security teams should adopt advanced threat detection solutions that monitor sign-in logs and deploy effective tools to fingerprint attackers and detect anomalies.

Stephen Kowski, Field CTO at SlashNext Email Security+:

This kit’s “sneaky” aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare Turnstile challenges, and its clever redirection of security tools to Wikipedia pages. The kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, making it particularly dangerous for Microsoft 365 environments. Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security: 

The “Sneaky 2FA” phishing kit is aptly named for its ability to outmaneuver traditional security defenses through Adversary-in-The-Middle (AitM) attacks. By intercepting both credentials and two-factor authentication (2FA) codes in real time, it allows attackers to bypass one of the most relied-upon layers of account protection. Its sophistication lies in its anti-analysis features – such as traffic filtering and checks to avoid detection – and convincing pre-populated login forms, which enhance its success rate. Additionally, hosting the phishing pages on compromised infrastructure adds another layer of deception.

Organizations can mitigate this risk by implementing Privileged Access Management (PAM) to restrict access and contain potential damage from compromised accounts. Pairing this with robust password management ensures that credentials are strong, unique and securely stored, reducing exposure to phishing campaigns. Additionally a password manager will prevent users from entering credentials into spoofed websites because the tool will only auto-fill credentials on the authentic webpage. Enforcing layered security measures, such as advanced threat detection and employee training, further minimizes organizational risk.