"Whisper 2FA steals both credentials and MFA tokens while evading detection through complex obfuscation techniques. The tool bears similarities to Salty 2FA, researchers noted, a new PhaaS with a focus on stealing Microsoft 365 credentials reported recently by AnyRun. It's a well-obfuscated credential harvester with anti-debugging, anti-analysis, and brand mimicking features. Tracked since July 2025, it has already powered close to a million attacks, making it the third most-common PhaaS after Tycoon and EvilProxy."
"Whisper 2FA can steal credentials multiple times through a real-time credential exfiltration loop that's enabled by a web technology known as Asynchronous JavaScript and XM (AJAX). This feature, which speeds up live chat, instant search suggestions and dynamic dashboards, allows websites to update information in real-time without needing to reload the entire page. "By combining realistic login flows, seamless user interaction and real-time MFA interception, Whisper 2FA makes it extremely difficult for users and security teams to detect fraud," researchers warned."
Whisper 2FA is a Phishing as a Service tool targeting Microsoft 365 users by stealing credentials and multi-factor authentication tokens while employing complex obfuscation to evade detection. The kit implements anti-debugging, anti-analysis and brand-mimicking techniques, and has powered close to a million attacks since July 2025, making it the third most-common PhaaS after Tycoon and EvilProxy. Whisper 2FA uses an AJAX-enabled real-time credential exfiltration loop to capture credentials repeatedly and validate sessions live, intercepting MFA codes during login flows. Phishing emails mimic trusted brands like DocuSign, Voicemail, Adobe and invoice notifications. Rapid technical evolution and removed random text increase stealth.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]