Mirage2FA phishing kit uses HTML smuggling to steal Microsoft 365 credentials
Mirage2FA is a phishing kit that uses HTML smuggling and obfuscated JavaScript to deliver fake Microsoft 365 login pages. It targets users with business-themed lures and mimics the Microsoft 365 sign-in process, including MFA prompts. The goal is to steal Microsoft 365 credentials and potentially take over accounts. The phishing campaign uses short-lived domains and sophisticated code obfuscation to evade detection.
AI Analysis
Technical Summary
Mirage2FA phishing kit employs HTML smuggling combined with obfuscated JavaScript loaders to deliver fake Microsoft 365 login pages designed to steal credentials during multi-factor authentication (MFA) prompts. The attack begins with an email containing an HTML and JavaScript attachment that launches a Microsoft-branded page resembling a protected business document. The initial payload uses Base64 encoding, XOR with 0xAD, TextDecoder, and eval() to decode and execute concealed code that loads a second-stage phishing script from attacker-controlled domains (cheacker.store and user.cheacker.store). The second-stage page mimics Microsoft 365's sign-in process, including fake CAPTCHA and prompts for multiple MFA methods such as authenticator apps and number matching, with code also supporting SMS verification. The campaign aims to enable Microsoft 365 account takeover, potentially granting attackers access to email, files, Teams messages, SharePoint, and other connected SaaS resources. Indicators of compromise include the domains cheacker.store and user.cheacker.store, an IP address, and JavaScript resources identified by Fortra researchers.
Potential Impact
Successful exploitation can lead to Microsoft 365 account takeover, allowing attackers to access sensitive email communications, files, Teams messages, SharePoint content, and other connected SaaS resources. This compromises organizational security and data confidentiality. The phishing kit's use of MFA prompts increases the likelihood of bypassing multi-factor authentication protections.
Mitigation Recommendations
No official patch is applicable as this is a phishing attack technique. Users who have interacted with the phishing page or submitted credentials should immediately reset their passwords, revoke active sessions and refresh tokens, review MFA methods, inspect mailbox rules, and check OAuth grants for unauthorized access. Organizations should educate users about phishing risks, especially those involving MFA prompts, and monitor for indicators of compromise such as the domains cheacker.store and user.cheacker.store. Employing email filtering and anti-phishing solutions can help reduce exposure.
Mirage2FA phishing kit uses HTML smuggling to steal Microsoft 365 credentials
Description
Mirage2FA is a phishing kit that uses HTML smuggling and obfuscated JavaScript to deliver fake Microsoft 365 login pages. It targets users with business-themed lures and mimics the Microsoft 365 sign-in process, including MFA prompts. The goal is to steal Microsoft 365 credentials and potentially take over accounts. The phishing campaign uses short-lived domains and sophisticated code obfuscation to evade detection.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mirage2FA phishing kit employs HTML smuggling combined with obfuscated JavaScript loaders to deliver fake Microsoft 365 login pages designed to steal credentials during multi-factor authentication (MFA) prompts. The attack begins with an email containing an HTML and JavaScript attachment that launches a Microsoft-branded page resembling a protected business document. The initial payload uses Base64 encoding, XOR with 0xAD, TextDecoder, and eval() to decode and execute concealed code that loads a second-stage phishing script from attacker-controlled domains (cheacker.store and user.cheacker.store). The second-stage page mimics Microsoft 365's sign-in process, including fake CAPTCHA and prompts for multiple MFA methods such as authenticator apps and number matching, with code also supporting SMS verification. The campaign aims to enable Microsoft 365 account takeover, potentially granting attackers access to email, files, Teams messages, SharePoint, and other connected SaaS resources. Indicators of compromise include the domains cheacker.store and user.cheacker.store, an IP address, and JavaScript resources identified by Fortra researchers.
Potential Impact
Successful exploitation can lead to Microsoft 365 account takeover, allowing attackers to access sensitive email communications, files, Teams messages, SharePoint content, and other connected SaaS resources. This compromises organizational security and data confidentiality. The phishing kit's use of MFA prompts increases the likelihood of bypassing multi-factor authentication protections.
Mitigation Recommendations
No official patch is applicable as this is a phishing attack technique. Users who have interacted with the phishing page or submitted credentials should immediately reset their passwords, revoke active sessions and refresh tokens, review MFA methods, inspect mailbox rules, and check OAuth grants for unauthorized access. Organizations should educate users about phishing risks, especially those involving MFA prompts, and monitor for indicators of compromise such as the domains cheacker.store and user.cheacker.store. Employing email filtering and anti-phishing solutions can help reduce exposure.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a3e72c9cef61ccff96011c4
Added to database: 06/26/2026, 12:38:33 UTC
Last enriched: 06/26/2026, 12:38:54 UTC
Last updated: 06/26/2026, 14:22:33 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.