Inside Attacker's Defensive Funnel: How Sneaky 2FA Cloaks Itself From Security Scanners
Menlo Security, Monday, February 23rd, 2026
In the relentless cat-and-mouse game between threat actors and defenders, phishing infrastructure has evolved from simple credential harvesting into sophisticated operations with multi-layered defensive mechanisms.
Menlo Security has identified a massive, persistent campaign active since June 2025, approximately 3.4K malicious domains.
This campaign utilizes a highly obfuscated, aggressive phishing kit assessed with high confidence to be a variant of Sneaky 2FA specifically designed to impersonate Microsoft 365 login portals. Its primary objective is not just to steal passwords, but to harvest session cookies, allowing attackers to bypass Two-Factor Authentication (2FA) and authenticate directly to corporate services.