Mamba 2FA 网络钓鱼平台针对 AiTM 入侵中的 Microsoft 365 帐户

威胁参与者一直在使用新出现的 Mamba 2FA 网络钓鱼即服务平台来通过中间对手入侵来破坏 Microsoft 365 帐户

Threat actors are now using the Mamba 2FA phishing-as-a-service platform to compromise Microsoft 365 accounts in adversary-in-the-middle (AiTM) attacks, BleepingComputer reports. Mamba 2FA's AiTM attacks against Microsoft 365 accounts are enabled by proxy relays and the Socket.IO JavaScript library, which allows for one-time passcode and authentication cookie access and communications between Microsoft 365 service phishing pages and relay servers, respectively, according to a report from Sekoia. The attackers then use a Telegram bot to enable transmission of stolen credentials and authentication cookies, Sekoia researchers found. They also noted improvements in Mamba 2FA since it was first reported by Any.Run in June. These enhancements include Mamba 2FA's use of IPRoyal proxy servers, regularly rotated phishing URLs, and benign content on HTML attachments to better conceal malicious activity. The findings should prompt organizations to bolster their defenses against AiTM intrusions launched by PhaaS operations by implementing certificate-based authentication, geo-blocking, hardware security keys, device allowlisting, IP allowlisting, and reduced token lifespans.

据 BleepingComputer 报道，威胁行为者现在正在使用 Mamba 2FA 网络钓鱼即服务平台在中间对手 (AiTM) 攻击中危害 Microsoft 365 帐户。一份报告称，Mamba 2FA 针对 Microsoft 365 帐户的 AiTM 攻击是通过代理中继和 Socket.IO JavaScript 库启用的，该库分别允许一次性密码和身份验证 cookie 访问以及 Microsoft 365 服务网络钓鱼页面和中继服务器之间的通信来自塞科亚。 Sekoia 研究人员发现，攻击者随后使用 Telegram 机器人来传输被盗凭证和身份验证 cookie。他们还注意到自 6 月份 Any.Run 首次报道以来 Mamba 2FA 的改进。这些增强功能包括 Mamba 2FA 使用 IPRoyal 代理服务器、定期轮换的网络钓鱼 URL 以及 HTML 附件上的良性内容，以更好地隐藏恶意活动。研究结果应促使组织通过实施基于证书的身份验证、地理封锁、硬件安全密钥、设备白名单、IP 白名单和缩短令牌寿命来加强防御 PhaaS 运营发起的 AiTM 入侵。