Mirage2FA Phishing Kit Uses HTML Smuggling to Steal Microsoft 365 Credentials and Bypass MFA
Fortra researchers have uncovered Mirage2FA, a phishing kit that combines HTML smuggling with obfuscated JavaScript to deliver fake Microsoft 365 login pages and steal credentials during MFA prompts.
Fortra researchers have identified a new phishing kit dubbed Mirage2FA that uses HTML smuggling and heavily obfuscated JavaScript loaders to deliver convincing fake Microsoft 365 login pages. The campaign targets credentials during multi-factor authentication (MFA) prompts, aiming to achieve full account takeover.
The attack chain begins with a suspicious HTML and JavaScript attachment delivered via email. The emails use business-themed lures such as secure documents, remittance services, automated billing, and payment requests to trick recipients into opening the attachment. Once opened, the HTML payload launches a Microsoft-branded page designed to resemble a protected business document.
“In the attack, the initial HTML payload uses obfuscated JavaScript to hide its behavior from static inspection, then decoded and executed concealed code using Base64, XOR with 0xAD, TextDecoder, and eval(). That code loaded a second-stage script from attacker-controlled infrastructure at user[.]cheacker[.]store,” the researchers explained. The domain cheacker[.]store was registered on March 16, suggesting a short-lived campaign.
The second-stage phishing page mimics the Microsoft 365 sign-in process with a fake CAPTCHA screen, credential fields, and prompts for several MFA methods, including authenticator apps and number matching. The researchers also found code supporting SMS verification, although they did not confirm that workflow during testing.
“The likely goal is Microsoft 365 account takeover. If a user submitted credentials, the attacker may have been able to access email, files, Teams messages, SharePoint content, and other connected SaaS resources,” they added. The use of HTML smuggling allows the payload to bypass email security filters that scan for malicious attachments, as the malicious code is embedded within seemingly benign HTML files.
Fortra identified several indicators of compromise linked to the campaign, including the domains cheacker[.]store and user.cheacker[.]store, an IP address, and JavaScript resources. The researchers recommend that any user who opened the phishing page or submitted information should have their password reset, active sessions and refresh tokens revoked, MFA methods reviewed, mailbox rules inspected, and OAuth grants checked.
Mirage2FA is the latest in a growing trend of phishing kits that specifically target MFA protections. By intercepting credentials and MFA tokens in real time, these kits pose a significant threat to organizations relying on multi-factor authentication as a primary security control. The use of HTML smuggling and obfuscated JavaScript demonstrates the continued evolution of phishing techniques designed to evade detection.