Barracuda threat analysts have released new research into a sophisticated phishing-as-a-service kit, known as Whisper 2FA, that is actively targeting Microsoft 365 users across Australia.

The investigation has found that Whisper 2FA has rapidly become the third most used phishing platform for generating attacks against Microsoft 365 users, with only Tycoon and EvilProxy recording higher activity in recent months. Whisper 2FA was first observed by Barracuda in July 2025 and has since been deployed in large-scale cybercrime campaigns.

According to Barracuda, almost one million Whisper 2FA attacks were detected targeting accounts in several major phishing operations during the last month alone. Microsoft 365 continues to hold significant coverage among Australian business organisations, with research suggesting nearly 150,000 local firms rely on the platform as of 2025.

Technical capabilities

Barracuda’s technical analysis describes Whisper 2FA as both advanced and adaptable. Unlike many traditional phishing kits that collect login information and halt at that stage, Whisper 2FA introduces multiple sophisticated functions to increase its effectiveness and reduce the likelihood of detection and analysis.

The kit’s chief capabilities include a credential theft loop, which repeatedly prompts the victim for their username, password, and multi-factor authentication (MFA) code. The process continues until attackers acquire a valid MFA token, making it adaptable to whatever authentication method the targeted account uses. Even expired or incorrect codes do not halt the attack; instead, victims are asked to re-enter details, feeding more opportunities to the attackers.

In addition, Whisper 2FA incorporates aggressive anti-analysis techniques. These include scrambling and encrypting the attack code, implementing traps for analysis tools, and blocking common keyboard shortcuts used for code inspection. This approach is designed to prevent researchers and automated security tools from understanding or tracing the source and behaviour of the campaign. The phishing form is structured so that any data entered, regardless of which button a user selects, is sent to the attackers. Stolen data is then rapidly scrambled and encrypted, further concealing evidence of data theft from network monitoring systems.

Rapid evolution

Barracuda’s analysts observed that Whisper 2FA is evolving both in terms of its anti-detection layers and its functional complexity. Early variants included developer comments and basic obfuscation, mainly focusing on disabling browser context menus. The most recent versions encountered by researchers now lack any descriptive comments, while layers of code obfuscation have become denser and more sophisticated. New defences have been integrated to foil analysis, including the detection and blocking of debugging tools, the deactivation of keyboard shortcuts used in code inspection, and intentional crashing of inspection software. Crucially, the latest iteration allows authentication tokens to be validated in real time via the attacker’s command and control infrastructure.

Saravanan Mohankumar, Manager of Barracuda’s Threat Analysis team, commented on the findings:

“The features and functionality of Whisper 2FA show how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms. By combining real-time MFA interception, multiple layers of obfuscation and anti-analysis techniques, Whisper 2FA makes it difficult for users and security teams to detect fraud. To stay protected, organisations need to move past static defences and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing.”

Comparisons were also made in the research between Whisper 2FA and other PhaaS kits such as Salty 2FA, which was recently reported by AnyRun, as well as established kits like EvilProxy. Barracuda noted that while similarities exist in their focus on stealing Microsoft 365 credentials, Whisper 2FA utilises a more streamlined credential theft process that is also more challenging to detect and interrupt.

Response and mitigation

Barracuda’s findings indicate a clear shift in both attacker tactics and the sophistication of phishing kits targeting corporate users. The presence of real-time MFA interception and extensive anti-analysis techniques in Whisper 2FA means that static security measures may be insufficient to counter these types of threats. Security experts are advising greater emphasis on user education, enhanced and phishing-resistant multi-factor authentication, systematic monitoring for suspicious activities, and inter-organisational threat intelligence sharing to mitigate risks of compromise for Microsoft 365 users.