Recently, we detected a phishing attack targeting one of our customers. In this blog post, we analyze the attack’s life cycle to show why you need a thoughtful solution to defend against sophisticated identity threats.
“The chances of finding out what’s really going on in the universe are so remote, the only thing to do is hang the sense of it and keep yourself occupied.”
—Douglas Adams, The Hitchhiker’s Guide to the Galaxy
Catching The New Mamba 2FA Phishing Kit
Obsidian detects and blocks a new phishing site daily. Without any modifications, the Obsidian Browser Extension recently detected the new and emerging phishing-as-a-service (PhaaS) platform called Mamba 2FA. In this blog, we want to give you an overview of how innovative – and at times straight-up bizarre – attackers can be to evade traditional defenses such as email protection.
The Evolution of Phishing
Phishing has come a long way from basic credential harvesting to more advanced attacks like adversary-in-the-middle (AiTM) that bypass multi-factor authentication (MFA). Traditional defenses, like email protection systems, use URL scanning to detect malicious campaigns. However, attackers now leverage sophisticated techniques to stay ahead of these defenses. These modern phishing lures direct users to authenticate through reverse proxies, capturing session tokens and granting the attacker access to systems like identity providers (IDPs) such as Microsoft and Okta.
We’ve observed that over 99% of compromises in the last 12 months began with the IDP. 38% of these incidents gained initial access through AiTM or spear phishing attacks. This shows how attackers are evolving, but it also highlights the vulnerability and opportunity for detection. Just like a submarine moving stealthily beneath the waves, phishing and AiTM servers can hide on the internet for extended periods without detection. However, for attackers to execute their phishing campaigns, they eventually need to “surface”—by hosting a phishing page that mimics legitimate services like Microsoft or Okta. This creates an opportunity for detection.
The Weak Link: URL Scanning and Email Protection
The ease of registering new domains and the rise of PhaaS platforms, such as Tycoon and Mamba 2FA, has made phishing easier and more efficient for attackers. Many email protection systems, like URL scanners, attempt to identify phishing sites by checking for visual similarities to legitimate login pages (e.g., Okta, Microsoft) or markers indicating the use of phishing kits like Evilginx. However, attackers have adapted quickly to evade these automated tools.
One such adaptation is the use of Cloudflare turnstiles, where phishing sites are hosted behind a CAPTCHA challenge. This strategy blocks automated scanners from detecting the phishing page, thwarting tools such as urlscan.io and email protection systems that rely on traditional automated URL scanning.
In the last three months, Obsidian detected that over 77% of phishing sites were hosted on Cloudflare, using turnstiles to prevent automated scanning.
Why Email Protection Isn’t Enough
Despite the widespread use of email protection platforms like Proofpoint, Mimecast, and Abnormal Security, phishing attacks continue to succeed.
A shocking 93% of spear phishing and AiTM compromises observed by Obsidian in the last year occurred even when email protection was in place. In 15% of these cases, both email service provider native and dedicated email security solutions were being used simultaneously.
This isn’t to say email protection is useless—far from it—but it alone is not enough to defend against phishing. The sophistication of attackers has reached a level where they can bypass traditional defenses, including automated URL scanners.
Obsidian’s Unique Approach: Seeing What the User Sees
One of the key innovations from Obsidian is its browser extension, which focuses on monitoring user interactions within the browser. By analyzing what the user sees—whether they are navigating a phishing page behind a Cloudflare turnstile or interacting with a compromised site—Obsidian can provide protection where traditional methods fail. This real-time protection identifies when a user visits a phishing page that has evaded automated scanners and prevents them from proceeding.
For example, if a user lands on okta-evil.com and the site renders a near-perfect replica of Okta’s login page, Obsidian’s extension can detect the discrepancy in the domain (i.e., it’s not Okta despite the visual similarities to the real Okta page). The Obsidian browser extension flags the site as malicious, alerting the user and preventing them from submitting their credentials.
Case Study: Mamba 2FA Bypassing URL Scanners with Creative Tactics
Recently, Obsidian identified a phishing attack that exploited URL scanning weaknesses in a novel way:
- The user received an email to their Microsoft Outlook account.
- Email protection provider scanned the email and replaced the original URL with a safe link via their URL shortening service: e.g. https://url.safe.com/1234
- The user clicked the shortened link, which eventually resolved to: https://merusdesign.com/m/?c3Y9bzM2NV8xX3ZvaWNlJnJhbmQ9U1ROQlIyVT0mdWlkPVVTRVIzMDA5MjAyNFUyNjA5MzA1Mg==N0123N[EMAIL].
This compromised site hosted a phishing page disguised as a voicemail play button. Only after interacting with the page did the phishing site render a fake Microsoft login. The email protection provider had scanned the link, but the multi-step redirection and compromised legitimate domain fooled their scanning and detection system.
Obsidian’s browser extension detected the phishing attempt at the final step. It recognized the visual elements of the Mamba 2FA phishing page and blocked the user from submitting their credentials.
Obsidian has seen IDP compromises lead to data exfiltration in less than 10 minutes.
Final Thoughts: Defense-in-Depth with Browser-Based Protection
Obsidian blocked the above without any modification to its detection capabilities. Because it didn’t rely on trying to follow attackers’ infrastructure or other easy-to-change behavioral patterns. We rely on what the page looks like to the user. This is not something that attackers can change. And that is how we detected the new Mamba 2FA kit in the wild without making a single change to our detection logic. These new phishing kits will continue to appear, they will continue to evolve but changing to look like something that isn’t Microsoft, Okta, Google et cetera isn’t within their scope of control.
To learn more about how Obsidian can protect your organization from advanced phishing attacks, schedule your demo.
