Whisper 2FA: The New Phishing Tool That Steals Microsoft 365 Credentials

Redazione RHC : 27 October 2025 17:45

According to new research from Barracuda Networks , a particularly insidious and persistent new Phishing-as-a-Service (PhaaS) kit is stealing credentials and authentication tokens from Microsoft 365 users. Barracuda experts have been monitoring this new threat since July 2025 and have named it Whisper 2FA.

Researchers have detected nearly one million Whisper 2FA attacks targeting accounts in several large-scale phishing campaigns over the past month, making Whisper the third most popular PhaaS kit after Tycoon and EvilProxy.

Barracuda’s technical analysis demonstrates that Whisper 2FA functionality is both advanced and adaptable. Its innovative features include continuous loops to steal authentication tokens, multiple layers of camouflage, and ingenious tactics to hinder analysis of malicious code and stolen data. This represents a real threat to organizations that is evolving rapidly.

As it turns out, the main features of Whisper 2FA include:

• Credential theft loop . Whisper 2FA can continuously repeat the process of stealing account credentials until attackers are confident they have obtained a working multi-factor authentication (MFA) token. For defenders, this means that even expired or incorrect codes can’t stop the attack, as the phishing kit continues to prompt the victim to re-enter their details and receive a new code until the attackers obtain a working one. Furthermore, Whisper 2FA is designed to adapt to any MFA method used.
• Complex tactics to evade detection and analysis . These include multiple layers of obfuscation, such as scrambling and encrypting the attack code, setting traps for analysis tools, and blocking commonly used keyboard shortcuts for inspection. This makes it difficult for security personnel and defense tools to analyze Whisper 2FA activity and automatically detect suspicious and malicious actions.
• A versatile phishing tactic . Whisper 2FA’s phishing form sends all data entered by the victim to cybercriminals, regardless of which button the user presses. The stolen data is quickly manipulated and encrypted, making it difficult for anyone monitoring the network to immediately realize that their login details have been stolen.

The Whisper 2FA phishing kit is rapidly advancing in both technical sophistication and anti-detection strategies. Barracuda’s analysis highlights how early variants of the kit featured developer-added text comments, several layers of obfuscation, and anti-analysis techniques that primarily focused on disabling the context menu (right-click) used for code inspection.

In contrast, the latest variants of the kit discovered by Barracuda lack commentary, the obfuscation has become denser and more layered, and new protections have been added to make it harder for defenders to analyze or tamper with the system. These include tricks to detect and block debugging tools, disable shortcuts used by developers, and crash inspection tools. Furthermore, this variant allows authentication tokens to be validated in real time through the attackers’ command and control system.

“The features and functionality of Whisper 2FA demonstrate how phishing kits have evolved from simple credential theft tools to sophisticated attack platforms,” says Saravanan Mohankumar, Manager, Threat Analysis team at Barracuda. “By combining real-time multifactor authentication interception, multiple layers of obfuscation, and anti-analysis techniques, Whisper 2FA further hinders users and security teams in detecting fraud. To stay protected, organizations must move beyond static defenses and adopt multi-layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing.”

Barracuda’s Whisper 2FA analysis shows some similarities to Salty 2FA, a new PhaaS focused on M365 credential theft recently reported by AnyRun, but also notable differences from older, more established rivals like Evil Proxy, including a simplified and more difficult-to-detect credential theft system.

Tycoon’s New Malicious Link Obfuscation Techniques

In another recent report , Barracuda also uncovered new techniques used by the Tycoon Phishing-as-a-Service kit to hide malicious links in emails. Specifically, these strategies are designed to obfuscate, confuse, and alter the structure of links or URLs, thus fooling automatic detection systems and ensuring the links are not blocked. Below are some examples:

• Insert a series of invisible spaces into the malicious link by repeatedly typing the code ” ” in its address bar;
• Add unusual characters to the link , such as a “Unicode” symbol that looks like a dot but isn’t;
• Enter a hidden email address or special code at the end of the link;
• Crafting a URL that is only partially hyperlinked or contains invalid elements , such as two “https”s or no “//”, to hide the link’s true destination, while making the active part appear innocuous;
• Use the “@” symbol in the link address . Browsers treat everything before the “@” as “user information,” so attackers insert text that appears trustworthy and reliable, such as “office365,” into this section. The actual link destination is located after the “@” symbol;
• Using web links with unusual symbols , such as backslashes (” “) or the dollar sign (“$”), which are not normally used in URLs. These characters can alter the way security tools read the address, helping a malicious link evade automatic detection systems;
• Create a URL where the first part is harmless and hyperlinked, while the second, malicious part appears as plain text . However, because the malicious part isn’t linked to anything, it isn’t read properly by security tools.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli