Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sneaky2FA ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

Sneaky2FA has added browser-in-the-browser (BitB) lures to its phishing service, increasing its ability to steal Microsoft credentials and active sessions. The new fake Microsoft pop-up makes the existing attacker-in-the-middle (AitM) theft flow more convincing for Microsoft 365 users. The upgrade is paired with conditional loading and obfuscation, which can make the service harder to detect and block.

Related Happenings

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

Timeline

  1. 19.11.2025 23:59 2 articles · 6mo ago

    Sneaky2FA adds BitB Microsoft login lures

    Initial Disclosure

    Sneaky2FA added browser-in-the-browser (BitB) pop-ups that mimic a legitimate Microsoft login window and are used with its existing attacker-in-the-middle (AitM) flow to steal Microsoft credentials and active session tokens from Microsoft 365 accounts. The phishing pages also use conditional loading and heavily obfuscated HTML/JavaScript to reduce detection, while victims are steered through previewdoc[.]com and a Cloudflare Turnstile check before the fake Microsoft sign-in appears.

    Show sources
    Open in new tab