Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sneaky2FA Microsoft 365 BitB phishing campaign

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The Sneaky2FA phishing operation has added browser-in-the-browser (BitB) lures on top of its existing AitM flow, making credential and session theft more convincing against Microsoft 365 accounts. The kit uses fake Microsoft sign-in windows to steal credentials and active session tokens, which can bypass 2FA protections. It also relies on previewdoc[.]com, Cloudflare Turnstile checks, and conditional loading to increase success and reduce detection.

Related Happenings

TCLBANKER banking trojan activity targeting 59 financial platforms

Malware Activity
First: 08.05.2026 21:12 Last: 08.05.2026 21:12 Sources 1

About this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Bubble-based Microsoft account phishing campaign

Campaign
First: 25.03.2026 21:48 Last: 25.03.2026 21:48 Sources 1

About this happening: Threat actors are running an active **phishing campaign** that abuses **Bubble**-hosted web apps to evade detection while targeting **Microsoft accounts**. The setup matters becau...

Open Happening

Timeline

  1. 19.11.2025 23:59 2 articles · 6mo ago

    Sneaky2FA adds BitB Microsoft login lure

    Initial Disclosure

    Sneaky2FA’s phishing-as-a-service kit now uses a browser-in-the-browser pop-up that mimics a legitimate Microsoft login window, adaptively styled for the victim’s OS and browser, to steal Microsoft credentials and active session tokens through its existing attacker-in-the-middle reverse-proxy flow against Microsoft 365 accounts. The phishing chain uses previewdoc[.]com, a Cloudflare Turnstile bot check, conditional loading, and heavily obfuscated HTML and JavaScript to reduce detection.

    Show sources
    Open in new tab