- What's Happening In Security
- Posts
- What's Happening In Security #19
What's Happening In Security #19
Mamba 2FA: Phishing as a Service

Mamba 2FA: A Phishing-as-a-Service Platform
In a world where SaaS products are everywhere, it’s no surprise that scammers want to get in on the lucrative revenue structure too. Mamba 2FA is a Phishing-as-a-Service (PaaS) platform which has been in service since at least May of this year when the cybersecurity company Sekoia, began tracking it.

An instance 1 of 4 phishing sites
What is it. The phishing kit’s primary target is users with Microsoft 365 accounts. The kit allows its users to not only send very convincing phishing emails, but it also aids in bypassing certain MFA methods.
This is a form of an Adversary-in-the-Middle (AitM) attack. A classic Man-in-the-Middle attack involves an attacker positioning themselves between two machines to eavesdrop or change messages, the AitM variant manipulates authentication protocols specifically.
The platform’s architecture involves a relay server which communicates with the phishing website. After a victim inputs their credentials they get sent to the malicious website which forwards it to the relay server. This server can then just input the these credentials into Microsoft’s real website.
While MFA is generally a powerful tool in stopping phishing attacks, not all MFA is built the same and this can be an issue for more advanced threats. In a situation like this AitM attack, you may receive an SMS OTP and input that on the platform which they can then relay to the Microsoft, effectively bypassing the MFA.
An Aside on MFA. Not all MFA is built the same.
The goal of MFA is to prevent attackers from logging into your account with stolen credentials. Unfortunately some implementations of MFA, namely SMS OTPs and app notifications, are vulnerable to being exploited.
OTPs: It’s possible to get your phone number switched to a different SIM card by contacting your telecom provider. Unfortunately, sometimes the questions asked to authenticate you are weak and attackers can often get the answers from data brokers. After performing this “SIM swap” the attacker will receive your SMS OTPs
App Notifications: MFA fatigue attacks, also known as push-bombing, involves bombarding a user with notifications by attempting to login repeatedly until the victim decides to say yes just to get the notifications to stop.
Phishing has been around for a long time. What’s the big deal about PaaS?
In a word, the problem is “accessibility”. Building and maintaining the infrastructure for these scams is no mean feat, but now anyone can find these services for sale on Telegram for just $250 per month. Two hundred and fifty dollars is all you need to access this cutting edge technology. These sorts of services likely mean advanced phishing campaigns will become far more common.
Following Pavel Durov’s (Telegram’s CEO) recent arrest in France, he pledged to be cooperate more with law enforcement to moderate illicit activities. It’ll be interesting to see whether he follows through.
Nerdy Details
The HTML attachment doesn’t have much static content
The file uses window.location.href to redirect user to the phishing website.
By base64 encoding the url, it makes it harder for security scanners to recognize the malicious url
<script> window.location.href = atob("aHR0cHM6Ly...") + "#" + "[EMail]"; </script>
On loading a pretty barebones HTML page, they load the Socket.IO library and 1 of the 4 screen templates (one is shown above)
Using the Socket.IO library, the page communicates with the relay server to send credentials to Microsoft Entra servers
Since being discovered by Sekoia, Mamba 2FA’s devs have gotten even sneakier
If the website sees a bot (possibly a security scanner) is visiting the site, it won’t load the page and will return a 404 status
To make blocking the website’s IP addresses, they now use proxy servers between the relay and Microsoft’s servers
Thanks for taking the time to read this week’s deep dive into security. If it’s something you want to talk more about, feel free to reach out! If you know someone else you might like it, give it a share!
See you in the next one.