Sneaky 2FA MDO Detection
Query
// Sneaky 2FA MDO Detection
// https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/
let Sneaky2FATable=externaldata(RawData:string)
[h'https://raw.githubusercontent.com/SlimKQL/Hunting-Queries-Detection-Rules/refs/heads/main/IOC/Sneaky2FA.txt']
| parse RawData with Sneaky2FADomains:string;
let IOCs =
Sneaky2FATable
| distinct Sneaky2FADomains;
let InboundEmailReceipient =
EmailUrlInfo
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| distinct RecipientEmailAddress;
let InboundEncodedEmailReceipient =
EmailUrlInfo
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| extend EncodeEmail = base64_encode_tostring(RecipientEmailAddress)
| distinct EncodeEmail;
EmailUrlInfo
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where Url has_any(IOCs) and (Url has_any(InboundEmailReceipient) or Url has_any(InboundEncodedEmailReceipient))Explanation
This KQL (Kusto Query Language) query is designed to detect a specific type of phishing attack known as "Sneaky 2FA" (Two-Factor Authentication) that uses phishing-as-a-service techniques. Here's a simplified breakdown of what the query does:
-
Load Suspicious Domains: It retrieves a list of suspicious domains related to the Sneaky 2FA attack from an external data source (a GitHub repository).
-
Extract Unique Domains: It extracts distinct domains from the loaded data to use as indicators of compromise (IOCs).
-
Identify Inbound Email Recipients:
- It identifies unique email addresses that have received inbound emails by joining two tables:
EmailUrlInfoandEmailEvents. - It also creates a base64-encoded version of these email addresses for further analysis.
- It identifies unique email addresses that have received inbound emails by joining two tables:
-
Filter and Analyze Emails:
- It examines inbound emails that have been delivered.
- It checks if the URLs in these emails match any of the suspicious domains (IOCs).
- Additionally, it verifies if these URLs contain either the plain or encoded version of the recipient's email address.
The goal of this query is to detect potentially malicious emails that are part of the Sneaky 2FA phishing campaign by looking for specific patterns in email URLs and recipient information.
Details

Steven Lim
Released: January 18, 2025
Tables
Keywords
Operators