A new phishing campaign targeting Instagram users has been identified, focusing on stealing two-factor authentication (2FA) backup codes. The attackers use a "Copyright Infringement" pretext, creating urgency for users to respond. Instagram's 2FA backup codes consist of five eight-digit codes, crucial for accessing accounts on unrecognized devices.Reported by TrustWave, the attackers impersonate Meta, Instagram's parent company, sending emails claiming copyright infringement. These emails instruct users to fill out an "appeal form" within 12 hours to prevent account deletion.The phishing process begins when users click an embedded button in the email, which leads to a fake Meta website. This site, hosted on platforms like Bio sites for tracking user traffic, acts as a bridge to the actual phishing website. The final phishing site, which mimics a legitimate Meta Portal Appeal center, prompts users for their Instagram username and password.Upon entering credentials, users are asked about the activation of 2FA. If affirmative, the site requests the 2FA backup code and then asks for the user's email address and phone number. The user interface of these websites has been continually updated by the attackers to enhance their authenticity.A comprehensive report about this phishing campaign, including detailed information about the lure method and website identifications, has been published. Several Indicators of Compromise (IOCs) have been listed, including various suspicious URLs, to help identify and avoid this phishing campaign. These IOCs are critical for organizations and individuals to detect and protect against this sophisticated phishing operation.