Mamba 2FA 網路釣魚平台針對 AiTM 入侵中的 Microsoft 365 帳戶

威脅參與者一直在使用新出現的 Mamba 2FA 網路釣魚即服務平台來透過中間對手入侵來破壞 Microsoft 365 帳戶

Threat actors are now using the Mamba 2FA phishing-as-a-service platform to compromise Microsoft 365 accounts in adversary-in-the-middle (AiTM) attacks, BleepingComputer reports. Mamba 2FA's AiTM attacks against Microsoft 365 accounts are enabled by proxy relays and the Socket.IO JavaScript library, which allows for one-time passcode and authentication cookie access and communications between Microsoft 365 service phishing pages and relay servers, respectively, according to a report from Sekoia. The attackers then use a Telegram bot to enable transmission of stolen credentials and authentication cookies, Sekoia researchers found. They also noted improvements in Mamba 2FA since it was first reported by Any.Run in June. These enhancements include Mamba 2FA's use of IPRoyal proxy servers, regularly rotated phishing URLs, and benign content on HTML attachments to better conceal malicious activity. The findings should prompt organizations to bolster their defenses against AiTM intrusions launched by PhaaS operations by implementing certificate-based authentication, geo-blocking, hardware security keys, device allowlisting, IP allowlisting, and reduced token lifespans.

根據 BleepingComputer 報導，威脅行為者現在正在使用 Mamba 2FA 網路釣魚即服務平台在中間對手 (AiTM) 攻擊中危害 Microsoft 365 帳戶。一份報告稱，Mamba 2FA 針對Microsoft 365 帳戶的AiTM 攻擊是透過代理中繼和Socket.IO JavaScript 庫啟用的，該庫分別允許一次性密碼和身份驗證cookie 訪問以及Microsoft 365 服務網絡釣魚頁面和中繼伺服器之間的通訊來自塞科亞。 Sekoia 研究人員發現，攻擊者隨後使用 Telegram 機器人來傳輸被盜憑證和身份驗證 cookie。他們還注意到自 6 月 Any.Run 首次報道以來 Mamba 2FA 的改進。這些增強功能包括 Mamba 2FA 使用 IPRoyal 代理伺服器、定期輪換的網路釣魚 URL 以及 HTML 附件上的良性內容，以便更好地隱藏惡意活動。研究結果應促使組織透過實施基於憑證的身份驗證、地理封鎖、硬體安全金鑰、裝置白名單、IP 白名單和縮短令牌壽命來加強防禦 PhaaS 營運發起的 AiTM 入侵。