



Sneaky 2FA campaign using trusted sender abuse, tenant-branded M365 pages, and live Entra credential replay
Spent time researching a Sneaky 2FA-style campaign that was interesting because the email delivery and the phishing kit both showed meaningful evolution.
The initial message was not sent from a random throwaway account. It came through a compromised trusted SaaS sender account and targeted enterprise IT users. The lure was a Microsoft sign-in activity alert, but it was placed inside a business-thread chain, which made the message look more like part of an existing operational conversation than a standalone phishing email.
The web flow was also more interesting than a basic Microsoft credential clone. From the samples I reversed, the kit supported:
- identity-check gating before exposing the Microsoft page
- session-mutated routes, loader names, validation paths, and tokens
- tenant-branded Microsoft 365 rendering using Microsoft tenant branding assets
- signed resource URLs with hashed IP and user-agent values
- password collection
- verification code collection
- SMS code collection
- Microsoft Authenticator approval and number matching flows
- final redirect back to Outlook
The strongest evidence came from controlled testing with non-valid credentials. After submitting them to the phishing page, Microsoft Entra ID recorded near-real-time OfficeHome sign-in attempts from external infrastructure. The attempts failed with error 50126, which confirms the credentials were replayed against Microsoft rather than only stored by the page.
The observed asset set, MFA workflow, href[.]li decoy behavior, and Sneaky/WikiKit-style page structure make Sneaky 2FA a strong match for this case.