SYDNEY, Australia – 16 October 2025 – An emerging, stealthy and persistent phishing-as-a-service (PhaaS) kit is stealing credentials and authentication tokens from Microsoft 365 users, according to new research from Barracuda. Barracuda threat analysts have been tracking the new and rapidly evolving PhaaS since July 2025 and have named it Whisper 2FA.

In the last month, Barracuda has seen close to a million Whisper 2FA attacks targeting accounts in multiple huge phishing campaigns and making Whisper the third most common PhaaS after Tycoon and EvilProxy.

Barracuda’s technical analysis shows that the functionality of Whisper 2FA is both advanced and adaptable. Its innovative features include continuous loops to steal authentication tokens, multiple layers of disguise, and devious tactics to obstruct analysis of its malicious code and stolen data. Whisper 2FA is evolving rapidly and presents a considerable threat to organisations.

Key features of Whisper 2FA include:

• Credential theft loops. Whisper 2FA can continuously repeat the credential theft process against an account until the attackers are satisfied that they have a functioning multifactor authentication (MFA) token. For defenders, this means that even expired or incorrect codes don’t stop the attack, as the phishing kit keeps prompting the victim to re-enter their details and receive a new code until the attackers get one that works. Whisper 2FA has been designed to adapt to whatever MFA method the victim’s account uses.
• Complex tactics to evade detection and analysis. These include multiple layers of obfuscation, such as scrambling and encrypting the attack code, setting traps for analysis tools and blocking common keyboard shortcuts used for inspection. This makes it difficult for researchers and security tools to analyse what Whisper 2FA is up to and to automatically detect suspicious and malicious activity.
• A versatile phishing form. Whisper 2FA’s phishing form sends all the data entered by the victim to the attackers, regardless of which button the user presses. The stolen data is quickly scrambled and encrypted, making it hard for anyone monitoring the network to immediately see that login details have been stolen.

The Whisper 2FA phishing kit is evolving rapidly in both technical complexity and anti-detection strategies.

Barracuda’s analysis shows that early variants featured text comments added by the developers, a few layers of obfuscation and anti-analysis techniques that focused mainly on disabling the right-click/context menu used in code inspection.

The most recent variants seen by Barracuda have no comments, obfuscation has become denser and multi-layered, and new protections have been added to make it harder for defenders to analyse or tamper with the system. These include tricks to detect and block debugging tools, disable shortcuts used by developers, and crash inspection tools. This variant also allows authentication tokens to be validated in real time through the attacker’s command and control system.

“The features and functionality of Whisper 2FA show how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms,” said Saravanan Mohankumar, Manager, Threat Analysis team at Barracuda. “By combining real-time MFA interception, multiple layers of obfuscation and anti-analysis techniques, Whisper 2FA makes it difficult for users and security teams to detect fraud. To stay protected, organisations need to move past static defences and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing. “

Barracuda’s analysis of Whisper 2FA shows similarities with Salty 2FA, a new PhaaS with a focus on stealing M365 credentials reported recently by AnyRun, and notable differences with older, more established rivals like Evil Proxy, such as simplified credential theft that is harder to detect.

To read the blog: https://blog.barracuda.com/2025/10/15/threat-spotlight-stealthy-phishing-kit-microsoft-365