Mirage2FA Phishing Kit Uses HTML Smuggling to Harvest Microsoft 365 Credentials and Bypass MFA
What Happened – Researchers at Fortra uncovered a new phishing kit, Mirage2FA, that delivers a short‑lived HTML‑smuggling payload. The payload renders a convincing Microsoft 365 login page, captures user credentials and MFA responses, and forwards them to attacker‑controlled infrastructure.
Why It Matters for Compliance & Audit Readiness
- Demonstrates a failure of access‑control safeguards that SOC 2 CC6.1 (Logical Access) is designed to protect.
- Highlights the need for documented security‑awareness training and phishing‑simulation evidence as part of the SOC 2 CC1.1 (Security) control set.
- Provides a concrete example of why continuous monitoring of credential usage and MFA revocation procedures must be captured as audit evidence.
Who Is Affected – Enterprises that rely on Microsoft 365 for email, Teams, SharePoint, and other SaaS workloads; broadly, the technology‑SaaS and professional‑services sectors.
Recommended Actions
- Reset passwords for any accounts that may have interacted with the phishing page; revoke active sessions, refresh tokens, and re‑issue MFA credentials.
- Review and tighten SOC 2 access‑control policies: enforce MFA, log MFA challenges, and require periodic credential rotation.
- Deploy targeted security‑awareness training and simulated phishing campaigns to validate user resilience.
- Implement continuous monitoring of credential anomalies (impossible travel, impossible logins) and retain logs as SOC 2 audit evidence.
Technical Notes – The kit uses obfuscated JavaScript (Base64, XOR, TextDecoder, eval) to hide the payload, then loads a second‑stage script from user.cheacker.store. The phishing page mimics Microsoft’s sign‑in flow, including a fake CAPTCHA and prompts for authenticator‑app, number‑matching, and SMS MFA. Indicators of compromise include the domains cheacker.store and user.cheacker.store and associated IP addresses.
Source: Help Net Security