Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since July
Whisper 2FA is now the third most common Phishing as a Service tool worldwide
Security firm Barracuda has issued a warning to Microsoft 365 users after researchers uncovered a new Phishing as a Service (PhaaS) tool that’s being used to target millions of accounts.
Whisper 2FA steals both credentials and MFA tokens while evading detection through complex obfuscation techniques. The tool bears similarities to Salty 2FA, researchers noted, a new PhaaS with a focus on stealing Microsoft 365 credentials reported recently by AnyRun.
It's a well-obfuscated credential harvester with anti-debugging, anti-analysis, and brand mimicking features. Tracked since July 2025, it has already powered close to a million attacks, making it the third most-common PhaaS after Tycoon and EvilProxy.
Whisper 2FA can steal credentials multiple times through a real-time credential exfiltration loop that's enabled by a web technology known as Asynchronous JavaScript and XM (AJAX).
This feature, which speeds up live chat, instant search suggestions and dynamic dashboards, allows websites to update information in real-time without needing to reload the entire page.
"By combining realistic login flows, seamless user interaction and real-time MFA interception, Whisper 2FA makes it extremely difficult for users and security teams to detect fraud," researchers warned.
"Unlike traditional phishing kits that stop after collecting usernames and passwords, Whisper 2FA goes further. It validates sessions in real time, intercepts MFA codes and uses advanced anti-analysis techniques to avoid detection."
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Under the hood of Whisper 2FA
Analysts at Barracuda found a wide range of phishing emails leading to Whisper 2FA, many of which were based on well-known, trusted brands and urgent pretexts, including DocuSign, Voicemail, Adobe, and ‘Invoice’.
Notably, researchers warned the kit is evolving rapidly in both its technical complexity and anti-detection strategies. Barracuda said that random text snippets used in the early versions have been removed, stripping away human-readable hints and making static analysis more difficult.
Obfuscation has also become denser and multilayered, with repeated Base64 decoding functions – which suggests the original data was encoded into strings of letters, numbers, and symbols several times over.
Meanwhile, new protections have been added to make it harder for attackers defenders to analyze or tamper with the system. These include tricks to detect and block debugging tools, disabling shortcuts used by developers, and crashing inspection tools by manipulating browser behavior.
Whisper 2FA is becoming harder to crack
Elsewhere, Barracuda analysts warned there are stronger session-based checks and multi-factor authentication (MFA) exfiltration logic, where tokens and one-time passwords are validated in real time through the attacker’s command-and-control (C2) systems.
Users of the phishing kit can now rely on enhanced checks to instantly validate intercepted login codes and tokens through the attackers’ C2 systems.
"The Whisper 2FA phishing campaign demonstrates how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms," researchers said.
"As phishing kits like this continue to evolve, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing. Only then can defenders keep pace with the relentless innovation we’re now seeing in phishing campaigns like Whisper 2FA."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
The NCSC wants to build an AI-powered 'Cyber Shield' to protect the UK from hackersNews The aim is to create a national, sovereign defence capability to protect government agencies and critical infrastructure
-
IBM targets data center efficiency gains with new z17 and LinuxONE offeringsNews Cost, data center footprint, and performance improvements are coming for IBM Z and LinuxONE customers
-
Multi-channel phishing attacks: How to manage the riskIn-depth Attackers are evolving beyond email towards phishing across multiple channels. Why is this, and what can be done to manage the risk?
-
Hackers are posing as Interpol to target small businesses – here's what you need to knowNews Small businesses are warned to think twice before clicking on links
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams