A new report released today by cloud cybersecurity firm Barracuda Networks Inc. details a rapidly evolving phishing-as-a-service kit dubbed Whisper 2FA that’s designed to steal Microsoft 365 credentials and multifactor authentication tokens in real time.

First detected in July 2025, Whisper 2FA represents the latest wave of industrialized phishing operations that combine advanced web technologies, layered obfuscation and anti-analysis features to bypass both human and technical defenses, according to Barracuda.

Phishing operations and kits are not new, but where Whisper 2FA becomes particularly interesting is that, unlike conventional phishing pages that collect credentials once, it maintains a continuous credential-theft loop through AJAX, an asynchronous web technology that allows instant updates without reloading the page. The mechanism allows the attackers to repeatedly exfiltrate login data and MFA codes until a valid session token is captured, keeping victims engaged under the illusion of a legitimate Microsoft 365 login flow.

Barracuda’s researchers identified multiple phishing lures associated with the kit, including spoofed messages from Docusign Inc., Adobe Inc., voicemail systems and invoice notifications, with each crafted to evoke urgency and trust. The platform rotates branding and pretexts dynamically to evade detection and maximize click-through rates.

Since first being detected, Whisper 2FA’s technical sophistication has also been observed to have increased dramatically. Early samples contained developer comments and moderate code obfuscation, while current versions employ dense multilayered Base64 and XOR encoding, aggressive debugging traps and anti-inspection techniques that crash browser tools or blank the page if tampering is detected.

The kit also integrates session-based checks that validate intercepted MFA tokens directly against attacker command-and-control servers in real time.

Whisper 2FA hides its operations behind familiar user interfaces. Each form field — email, password or one-time code — is invisibly bound to hidden scripts that transmit data instantly when users interact with the page. The attackers’ backend validates each stolen one-time password within seconds, prompting victims to re-enter new codes if an attempt fails, creating an endless real-time MFA relay until a working token is obtained.

Barracuda warns that Whisper 2FA underscores the industrial maturity of PhaaS ecosystems, where kits are continuously updated, sold or leased with professional support.

“As phishing kits like this continue to evolve, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring and threat intelligence sharing,” the report concludes. “Only then can defenders keep pace with the relentless innovation we’re now seeing in phishing campaigns like Whisper 2FA.”

Image: SiliconANGLE/Ideogram