HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Mirage2FA Phishing Kit Uses HTML Smuggling to Harvest Microsoft 365 Credentials and Bypass MFA

Fortra researchers identified Mirage2FA, a phishing kit that delivers an HTML‑smuggling payload to mimic Microsoft 365 login pages and capture credentials plus MFA responses. The incident underscores the importance of SOC 2 access‑control policies, security‑awareness training, and continuous monitoring of credential usage.

LiveThreat™ Intelligence · 📅 June 26, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

Mirage2FA Phishing Kit Uses HTML Smuggling to Harvest Microsoft 365 Credentials and Bypass MFA

What Happened – Researchers at Fortra uncovered a new phishing kit, Mirage2FA, that delivers a short‑lived HTML‑smuggling payload. The payload renders a convincing Microsoft 365 login page, captures user credentials and MFA responses, and forwards them to attacker‑controlled infrastructure.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates a failure of access‑control safeguards that SOC 2 CC6.1 (Logical Access) is designed to protect.
  • Highlights the need for documented security‑awareness training and phishing‑simulation evidence as part of the SOC 2 CC1.1 (Security) control set.
  • Provides a concrete example of why continuous monitoring of credential usage and MFA revocation procedures must be captured as audit evidence.

Who Is Affected – Enterprises that rely on Microsoft 365 for email, Teams, SharePoint, and other SaaS workloads; broadly, the technology‑SaaS and professional‑services sectors.

Recommended Actions

  • Reset passwords for any accounts that may have interacted with the phishing page; revoke active sessions, refresh tokens, and re‑issue MFA credentials.
  • Review and tighten SOC 2 access‑control policies: enforce MFA, log MFA challenges, and require periodic credential rotation.
  • Deploy targeted security‑awareness training and simulated phishing campaigns to validate user resilience.
  • Implement continuous monitoring of credential anomalies (impossible travel, impossible logins) and retain logs as SOC 2 audit evidence.

Technical Notes – The kit uses obfuscated JavaScript (Base64, XOR, TextDecoder, eval) to hide the payload, then loads a second‑stage script from user.cheacker.store. The phishing page mimics Microsoft’s sign‑in flow, including a fake CAPTCHA and prompts for authenticator‑app, number‑matching, and SMS MFA. Indicators of compromise include the domains cheacker.store and user.cheacker.store and associated IP addresses.

Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/06/26/mirage2fa-phishing-kit-microsoft-365-html-smuggling/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →