Nearly a Million Microsoft 365 Accounts Targeted by New Whisper 2FA Phishing Kit

Cybercriminals have escalated their tactics with Whisper 2FA, a sophisticated phishing kit that’s already been used in nearly a million attacks against Microsoft 365 users — stealing credentials and intercepting MFA in real time by imitating trusted brands.

The Whisper 2FA phishing kit was discovered and named by Barracuda’s threat analysts, who began tracking its activity in July 2025. It’s now the third most common Phishing-as-a-Service (PhaaS) after Tycoon and EvilProxy.

What is Whisper 2FA and how does it work?

According to Barracuda researchers, Whisper 2FA is similar to Salty 2FA, which is a PhaaS that allows hackers to steal Microsoft 365 credentials. This new phishing kit uses a real-time credential theft mechanism that targets Microsoft 365 customers. When a victim clicks on a phishing link, which is often disguised as a trusted brand like DocuSign or Adobe, they are redirected to a fake login page that closely mimics the legitimate Microsoft 365 sign-in interface. The kit captures user credentials and MFA code using AJAX-based scripts and then forwards them to the attacker’s server, which attempts to log in to the real account.

“By combining realistic login flows, seamless user interaction and real-time MFA interception, Whisper 2FA makes it extremely difficult for users and security teams to detect fraud,” researchers explained. “Unlike traditional phishing kits that stop after collecting usernames and passwords, Whisper 2FA goes further. It validates sessions in real time, intercepts MFA codes and uses advanced anti-analysis techniques to avoid detection.”

Researchers identified Whisper 2FA as a highly persistent and adaptable phishing kit that loops continuously until it captures a valid multifactor authentication token. It enables attackers to bypass standard security measures. This kit uses advanced obfuscation techniques (including multi-layered Base64 and XOR encoding, along with aggressive anti-debugging scripts) to evade detection and complicate analysis.

Since its initial appearance, the kit has rapidly evolved from a basic tool with simple encoding and developer comments into a resilient, stealthy threat that poses serious challenges for cybersecurity professionals.

How to stay protected against phishing attacks?

Barracuda researchers mentioned that protecting against Whisper 2FA and similar phishing attacks requires organizations to implement phishing-resistant multifactor authentication methods, such as hardware security keys or biometric verification. It’s also important to conduct regular security awareness training to help employees recognize suspicious emails and fake login pages.

In addition, organizations should deploy advanced email filtering and threat detection tools to help block malicious links. Moreover, IT admins should monitor login activity for anomalies (like unexpected geographic access or repeated MFA failures) to also provide early warning signs of compromise. It’s also advised to share threat intelligence across teams and platforms to help build collective resilience against evolving phishing kits like Whisper 2FA.