Barracuda Exposes Stealthy Microsoft 365 Phishing Kit

A sophisticated new phishing-as-a-service platform known as Whisper 2FA is actively compromising Microsoft 365 accounts by harvesting login credentials and authentication tokens, according to recent findings from cybersecurity researchers at Barracuda. Since its initial detection in July 2025, this rapidly evolving threat has already been linked to nearly one million attacks across several large-scale phishing campaigns, positioning it as the third most prevalent PhaaS offering behind only Tycoon and EvilProxy.

Barracuda’s technical investigation reveals that Whisper 2FA incorporates advanced and highly adaptable functionality, making it a serious concern for organizations of all sizes. Its novel capabilities include persistent credential theft loops, multiple layers of disguise, and clever methods to interfere with security analysis of both its malicious code and any stolen information.

One of the kit’s most dangerous features is its continuous credential theft loop. Rather than stopping after a single failed attempt, Whisper 2FA repeatedly prompts the target to re-enter their credentials and multi-factor authentication codes until the attackers successfully capture a valid MFA token. This persistence means that even incorrect or expired codes do not halt the attack, and the system automatically adjusts to work with whatever MFA method the targeted account employs.

To avoid detection and complicate analysis, Whisper 2FA uses complex evasion tactics. These include scrambling and encrypting its attack code, setting traps for security analysis tools, and blocking standard keyboard shortcuts often used by researchers during inspection. These measures make it challenging for both automated security systems and human analysts to identify malicious activity in real time.

The phishing form itself is equally deceptive. Every piece of information a victim types, no matter which button they click, gets transmitted directly to the attackers. Stolen data is immediately scrambled and encrypted, preventing network monitoring tools from quickly recognizing that credentials have been exfiltrated.

Barracuda has observed significant evolution between early and recent versions of the kit. Initial variants contained developer comments and relatively simple obfuscation, mainly focused on disabling right-click menus used for code inspection. The latest iterations, however, contain no comments, use denser multi-layered obfuscation, and include new protections that detect and block debugging tools, disable developer shortcuts, and even crash inspection applications. This newer version also enables real-time validation of authentication tokens through the attacker’s command-and-control infrastructure.

Saravanan Mohankumar, Manager of Barracuda’s Threat Analysis team, emphasized the sophistication of this new threat. “The features and functionality of Whisper 2FA show how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms,” he stated. “By combining real-time MFA interception, multiple layers of obfuscation and anti-analysis techniques, Whisper 2FA makes it difficult for users and security teams to detect fraud. To stay protected, organizations need to move past static defences and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing.”

Barracuda’s analysis also notes similarities between Whisper 2FA and another emerging PhaaS called Salty 2FA, which similarly targets Microsoft 365 credentials. Both differ from established competitors like Evil Proxy through their simplified yet harder-to-detect credential theft methods.

(Source: ITWire Australia)