Barracuda Networks has uncovered a fast-evolving phishing-as-a-service (PhaaS) operation—named Whisper 2FA—that is stealing credentials and authentication tokens from Microsoft 365 users, according to new research from the cybersecurity firm. Tracked since July 2025, Whisper 2FA has already been deployed in massive campaigns and, in the last month alone, has been observed in nearly a million attacks, making it the third most common PhaaS behind Tycoon and EvilProxy.
Barracuda’s analysis finds Whisper 2FA to be both technically advanced and adaptable. The kit’s authors have combined several deceptive techniques that let attackers repeatedly harvest credentials and multifactor authentication (MFA) tokens, hide malicious code from researchers and tooling, and obscure stolen data in transit.
One of Whisper 2FA’s most worrying capabilities is what Barracuda calls credential-theft loops. Instead of failing when an MFA code is expired or incorrect, the phishing flow repeatedly prompts victims to re-enter credentials and codes until the attacker captures a valid token. The kit is designed to adapt to whatever MFA method an account uses, meaning repeated prompts can eventually yield an exploitable authentication token even against accounts protected by multifactor systems.
To blunt defenders and forensic analysis, Whisper 2FA layers complex obfuscation and anti-analysis tactics. Early variants included commented code and simple restrictions such as disabling right-click menus. Recent iterations, Barracuda says, have removed comments, added denser, multi-layer obfuscation, and introduced tricks to detect and crash debugging and inspection tools. The kit also blocks common developer shortcuts and sets traps for automated analysis, making it far harder for security teams and automated scanners to quickly identify malicious behavior.
A further stealth mechanism is a versatile phishing form that exfiltrates whatever the victim types—regardless of which button is pressed—and immediately scrambles and encrypts the data. That design makes it difficult for network monitors to spot the theft in real time, and the rapid encryption complicates incident response and attribution.
Barracuda observed an evolution in functionality across Whisper 2FA variants: modern versions can validate stolen tokens in real time through the attacker’s command-and-control infrastructure, giving attackers immediate feedback on whether a captured token is usable. That speed shortens the window defenders have to detect and respond to an account compromise.
“The features and functionality of Whisper 2FA show how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms,” said Saravanan Mohankumar, Manager, Threat Analysis team at Barracuda. “By combining real-time MFA interception, multiple layers of obfuscation and anti-analysis techniques, Whisper 2FA makes it difficult for users and security teams to detect fraud. To stay protected, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing.”
Barracuda’s research also notes technical parallels between Whisper 2FA and other recent PhaaS families. Whisper shares certain tactics with Salty 2FA, reported recently by AnyRun, but differs from longer-established kits like EvilProxy in its use of more sophisticated real-time token validation and denser anti-analysis measures.
Given its scale and agility, Barracuda warns that Whisper 2FA represents a substantial threat to organizations that rely on Microsoft 365 and similar cloud email platforms. The company recommends defenders prioritize phishing-resistant authentication methods (such as hardware security keys and platform-bound credentials), implement continuous anomaly detection for account activity, harden email security controls, and ramp up user awareness training focused on dynamic MFA-bypass techniques.
Barracuda’s report on Whisper 2FA provides technical indicators and mitigation guidance for security teams. Organizations should treat the prevalence and rapid evolution of PhaaS offerings as a call to upgrade layered defenses and shorten detection and response times.