Fortra identified Mirage2FA, a phishing kit that uses short-lived HTML smuggling and obfuscated JavaScript to imitate Microsoft 365 sign-in pages and steal credentials during MFA prompts, in an email-delivered campaign tied to the domain cheacker[.]store.
KEY FACTS
- Delivery The campaign used HTML and JavaScript attachments sent by email.
- Lures Messages used business themes such as secure documents, remittance services, billing, and payment requests.
- Technique The initial payload hid code with Base64, XOR with 0xAD, TextDecoder, and eval().
- Target The fake page mimicked Microsoft 365 sign-in, CAPTCHA, and several MFA methods.
- Indicators The report named cheacker[.]store, user.cheacker[.]store, an IP address, and JavaScript resources.
The technical analysis from Fortra said the initial HTML attachment opened a Microsoft-branded page meant to look like a protected business document. The March 16 registration of cheacker[.]store suggested the domain was set up for a short-lived phishing run.
The first-stage code loaded a second-stage script from user[.]cheacker[.]store after hiding its behavior from static inspection. The phishing page then showed a fake CAPTCHA screen, credential fields, and prompts for authenticator apps and number matching, with code also supporting SMS verification.
The report said the likely goal was Microsoft 365 account takeover. If a victim entered credentials, the attacker could have gained access to email, files, Teams messages, SharePoint content, and other connected SaaS resources.
Fortra said users who opened the page or submitted data should reset passwords, revoke active sessions and refresh tokens, review MFA methods, inspect mailbox rules, and check OAuth grants.
WHY IT MATTERS
The campaign shows how phishing kits can combine malware-like delivery and realistic login pages to bypass user suspicion and target cloud accounts. A successful theft could expose business email and shared files across Microsoft 365-linked services.