Mirage2FA phishing kit uses HTML smuggling to steal Microsoft 365 credentials
Mirage2FA, a phishing kit that combines short-lived HTML smuggling with obfuscated JavaScript loaders to deliver fake Microsoft 365 login pages and steal credentials during MFA prompts, has been identified by researchers at Fortra.
Fortra based its analysis on a suspicious HTML and JavaScript attachment delivered by email, supporting DNS data, and the second-stage phishing page.
Researchers said the campaign relied on business-themed lures, including secure documents, remittance services, automated billing, and payment requests. Opening the HTML attachment launched a Microsoft-branded page designed to resemble a protected business document.
The March 16 registration of cheacker[.]store suggests the domain was created for a short-lived phishing campaign.
“In the attack, the initial HTML payload uses obfuscated JavaScript to hide its behavior from static inspection, then decoded and executed concealed code using Base64, XOR with 0xAD, TextDecoder, and eval(). That code loaded a second-stage script from attacker-controlled infrastructure at user[.]cheacker[.]store,” the researchers explained.
The second-stage phishing page mimics the Microsoft 365 sign-in process with a fake CAPTCHA screen, credential fields, and prompts for several MFA methods, including authenticator apps and number matching. The researchers also found code supporting SMS verification, although they did not confirm that workflow during testing.
“The likely goal is Microsoft 365 account takeover. If a user submitted credentials, the attacker may have been able to access email, files, Teams messages, SharePoint content, and other connected SaaS resources,” they added.
Fortra identified several indicators of compromise linked to the campaign, including the domains cheacker[.]store and user.cheacker[.]store, an IP address, and JavaScript resources.
“Any user who opened the phishing page or submitted information should have their password reset, active sessions and refresh tokens revoked, MFA methods reviewed, mailbox rules inspected, and OAuth grants checked,” the researchers concluded.